Deploy separate glance-api services for OSSN-0090

This patch adopts the recommendation outlined in  OSSN-0090 [1], in
which two instances of the glance-api service are deployed:
- A "user facing" glance-api service, accessible via the Public
  keystone endpoint.
- An "internal facing only" service, accessible via the Admin and
  Internal keystone endpoints.

The user facing instance is configured so it does not report any image
location information. This is achieved by configuring glance-api.conf
with the show_image_direct_url and show_multiple_locations set to False.

The internal service operates on a separate TCP port (defaults to 9293)
with its own glance-api.conf that configures show_image_direct_url and
show_multiple_locations set to True.

In order for cinder and nova to have access to the image location data,
both services are configured to access glance via the internal service.

[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090

stable/zed:
  Backports include I456b4235242cae125f5ad4cd9cc7415f2699462c, which
  fixed a typo in the original patch.

Closes-Bug: #1822540
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/865874
Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/865873
Change-Id: Id093613f9d410eb3fe5564a724c0f75275eeb4e8
(cherry picked from commit d60969cb55)
This commit is contained in:
Alan Bishop 2022-11-24 10:06:19 -08:00
parent a044fb80b4
commit 0ba612d07d
25 changed files with 276 additions and 43 deletions

View File

@ -91,6 +91,7 @@
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -9,6 +9,7 @@ parameter_defaults:
- OS::TripleO::Services::Kernel - OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone - OS::TripleO::Services::Keystone
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient - OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronApi - OS::TripleO::Services::NeutronApi

View File

@ -50,6 +50,7 @@ resource_registry:
OS::TripleO::Services::Etcd: OS::Heat::None OS::TripleO::Services::Etcd: OS::Heat::None
OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None
OS::TripleO::Services::GlanceApi: OS::Heat::None OS::TripleO::Services::GlanceApi: OS::Heat::None
OS::TripleO::Services::GlanceApiInternal: OS::Heat::None
OS::TripleO::Services::GnocchiApi: OS::Heat::None OS::TripleO::Services::GnocchiApi: OS::Heat::None
OS::TripleO::Services::GnocchiMetricd: OS::Heat::None OS::TripleO::Services::GnocchiMetricd: OS::Heat::None
OS::TripleO::Services::GnocchiStatsd: OS::Heat::None OS::TripleO::Services::GnocchiStatsd: OS::Heat::None

View File

@ -36,6 +36,7 @@ parameter_defaults:
- OS::TripleO::Services::Keystone - OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs - OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApi
- OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine - OS::TripleO::Services::HeatEngine

View File

@ -33,6 +33,7 @@ parameter_defaults:
- OS::TripleO::Services::Kernel - OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone - OS::TripleO::Services::Keystone
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApi
- OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine - OS::TripleO::Services::HeatEngine

View File

@ -34,6 +34,7 @@ parameter_defaults:
- OS::TripleO::Services::Kernel - OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone - OS::TripleO::Services::Keystone
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient - OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronApi - OS::TripleO::Services::NeutronApi

View File

@ -130,12 +130,6 @@ parameters:
type: boolean type: boolean
tags: tags:
- role_specific - role_specific
GlanceShowMultipleLocations:
default: false
description: |
Whether to show multiple image locations e.g for copy-on-write support on
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
type: boolean
# We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario # We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario
# in which the user purposely disabled all plugins setting it to an empty list. This is useful # in which the user purposely disabled all plugins setting it to an empty list. This is useful
# to automatically enable image_conversion plugin only when value is left to the default. # to automatically enable image_conversion plugin only when value is left to the default.
@ -368,6 +362,23 @@ parameters:
Use the advanced (eventlet safe) memcached client pool. Use the advanced (eventlet safe) memcached client pool.
default: true default: true
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in future release.
GlanceShowMultipleLocations:
default: false
description: |
Whether to show multiple image locations e.g for copy-on-write support on
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
type: boolean
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments.
parameters:
- GlanceShowMultipleLocations
conditions: conditions:
cinder_backend_enabled: cinder_backend_enabled:
or: or:
@ -494,7 +505,6 @@ outputs:
- read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo read_default_group: tripleo
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false glance::api::enable_v1_api: false
@ -518,8 +528,6 @@ outputs:
- {get_param: GlanceCacheEnabled} - {get_param: GlanceCacheEnabled}
- 'keystone+cachemanagement' - 'keystone+cachemanagement'
- 'keystone' - 'keystone'
glance::api::show_image_direct_url: true
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota} glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods} glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri} glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
@ -552,8 +560,11 @@ outputs:
"%{lookup('fqdn_$NETWORK')}" "%{lookup('fqdn_$NETWORK')}"
params: params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_port: # Use glance's native port (9292) for tls proxying. The value is
get_param: [EndpointMap, GlanceInternal, port] # hardcoded because the ports in the endpoint map are different (the
# public endpoint uses port 13292, and the internal and admin endpoints
# use port 9293).
tripleo::profile::base::glance::api::tls_proxy_port: 9292
# Bind to localhost if internal TLS is enabled, since we put a TLs # Bind to localhost if internal TLS is enabled, since we put a TLs
# proxy in front. # proxy in front.
glance::api::bind_host: glance::api::bind_host:

View File

@ -36,21 +36,17 @@ parameters:
List of enabled Image Import Methods. Valid values in the list are List of enabled Image Import Methods. Valid values in the list are
'glance-direct', 'web-download', or 'copy-image' 'glance-direct', 'web-download', or 'copy-image'
type: comma_delimited_list type: comma_delimited_list
EnableGlanceApiProxy:
default: true
description: Configure haproxy to forward glance-api requests to glance-api
services running at the edge site.
type: boolean
resources: resources:
GlanceApiBase: GlanceApiInternal:
type: ./glance-api-container-puppet.yaml type: ./glance-api-internal-container-puppet.yaml
properties: properties:
ServiceData: {get_param: ServiceData} ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap} ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName} RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters} RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs: outputs:
glance_api_edge_uri: glance_api_edge_uri:
@ -60,39 +56,33 @@ outputs:
- {get_param: EnableInternalTLS} - {get_param: EnableInternalTLS}
- str_replace: - str_replace:
template: template:
"https://%{lookup('fqdn_NETWORK')}:9292" "https://%{lookup('fqdn_NETWORK')}:PORT"
params: params:
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
- str_replace: - str_replace:
template: template:
"http://%{lookup('NETWORK_uri')}:9292" "http://%{lookup('NETWORK_uri')}:PORT"
params: params:
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
role_data: role_data:
description: Role data for the Glance API role for DCN/Edge. description: Role data for the Glance API role for DCN/Edge.
value: value:
map_merge: map_merge:
- get_attr: [GlanceApiBase, role_data] - get_attr: [GlanceApiInternal, role_data]
- service_name: glance_api_edge - service_name: glance_api_edge
firewall_edge_frontend_rules:
if:
- {get_param: EnableGlanceApiProxy}
- {get_attr: [GlanceApiBase, role_data, firewall_frontend_rules]}
firewall_edge_ssl_frontend_rules:
if:
- {get_param: EnableGlanceApiProxy}
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
service_config_settings: service_config_settings:
map_merge: map_merge:
- get_attr: [GlanceApiBase, role_data, service_config_settings] - get_attr: [GlanceApiInternal, role_data, service_config_settings]
- cinder_volume: - cinder_volume:
cinder::glance::glance_api_servers: *glance_api_edge_uri cinder::glance::glance_api_servers: *glance_api_edge_uri
nova_compute: nova_compute:
nova::glance::endpoint_override: *glance_api_edge_uri nova::glance::endpoint_override: *glance_api_edge_uri
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [GlanceApiBase, role_data, config_settings] - get_attr: [GlanceApiInternal, role_data, config_settings]
- if: - if:
- contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}] - contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}]
- glance::api::worker_self_reference_url: *glance_api_edge_uri - glance::api::worker_self_reference_url: *glance_api_edge_uri

View File

@ -0,0 +1,183 @@
heat_template_version: wallaby
description: >
OpenStack Glance internal service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
GlanceApiInternalLoggingSource:
type: json
default:
tag: openstack.glance.api
file: /var/log/containers/glance/api_internal.log
EnableInternalTLS:
type: boolean
default: false
GlanceNetappNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
type: boolean
ContainerGlanceApiImage:
description: image
type: string
tags:
- role_specific
ContainerGlanceApiInternalConfigImage:
description: The container image to use for the glance_api_internal config_volume
type: string
tags:
- role_specific
resources:
GlanceApi:
type: ./glance-api-container-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
MySQLClient:
type: ../database/mysql-client.yaml
GlanceLogging:
type: OS::TripleO::Services::Logging::GlanceApi
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerGlanceApiImage: ContainerGlanceApiImage
ContainerGlanceApiInternalConfigImage: ContainerGlanceApiInternalConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerGlanceApiImage: {get_param: ContainerGlanceApiImage}
ContainerGlanceApiInternalConfigImage: {get_param: ContainerGlanceApiInternalConfigImage}
outputs:
role_data:
description: Role data for the internal Glance API.
value:
map_merge:
- get_attr: [GlanceApi, role_data]
- service_name: glance_api_internal
firewall_rules:
'112 glance_api_internal':
dport:
- {get_param: [EndpointMap, GlanceInternal, port]}
firewall_frontend_rules:
'100 glance_api_internal_haproxy_frontend':
dport:
- {get_param: [EndpointMap, GlanceInternal, port]}
# GlanceApi creates the keystone resources
keystone_resources: {}
config_settings: {get_attr: [GlanceApi, role_data, config_settings]}
service_config_settings:
map_merge:
- get_attr: [GlanceApi, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_glance_api_internal:
- {get_param: GlanceApiInternalLoggingSource}
puppet_config:
config_volume: glance_api_internal
puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config
step_config:
list_join:
- "\n"
- -
str_replace:
template: |
class { 'tripleo::profile::base::glance::api':
bind_port => PORT,
tls_proxy_port => PORT,
log_file => '/var/log/glance/api_internal.log',
show_image_direct_url => true,
show_multiple_locations => true,
}
params:
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
- if:
- {get_param: GlanceNetappNfsEnabled}
- include tripleo::profile::base::glance::netapp
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerGlanceApiInternalConfigImage]}
kolla_config:
# The kolla_config are essentially the same as the GlanceApi service.
# The only difference is the json file names.
/var/lib/kolla/config_files/glance_api_internal.json:
{get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api.json]}
/var/lib/kolla/config_files/glance_api_internal_tls_proxy.json:
{get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api_tls_proxy.json]}
docker_config:
step_2:
get_attr: [GlanceLogging, docker_config, step_2]
step_4:
# The internal services share the same GlanceApi docker configs,
# except we swap in the internal service's config_volume.
glance_api_internal:
map_merge:
- get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api]
- volumes:
yaql:
expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal'))
data:
vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api, volumes]}
glance_api_internal_tls_proxy:
if:
- {get_param: EnableInternalTLS}
- map_merge:
- get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy]
- volumes:
yaql:
expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal'))
data:
vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy, volumes]}
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop glance api internal container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- glance_api_internal
tripleo_delegate_to: "{{ groups['glance_api_internal'] | default([]) }}"

View File

@ -45,6 +45,7 @@ resources:
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName} RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters} RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs: outputs:
glance_api_edge_uri: glance_api_edge_uri:
@ -54,14 +55,16 @@ outputs:
- {get_param: EnableInternalTLS} - {get_param: EnableInternalTLS}
- str_replace: - str_replace:
template: template:
"https://%{lookup('fqdn_NETWORK')}:9292" "https://%{lookup('fqdn_NETWORK')}:PORT"
params: params:
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
- str_replace: - str_replace:
template: template:
"http://%{lookup('NETWORK_uri')}:9292" "http://%{lookup('NETWORK_uri')}:PORT"
params: params:
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
role_data: role_data:
description: Role data for the HAproxy role for DCN/Edge. description: Role data for the HAproxy role for DCN/Edge.
@ -85,18 +88,19 @@ outputs:
tripleo::haproxy::designate: false tripleo::haproxy::designate: false
tripleo::haproxy::docker_registry: false tripleo::haproxy::docker_registry: false
tripleo::haproxy::etcd: false tripleo::haproxy::etcd: false
tripleo::haproxy::glance_api: false
- if: - if:
- {get_param: EnableGlanceApiProxy} - {get_param: EnableGlanceApiProxy}
- tripleo::haproxy::glance_api: true - tripleo::haproxy::glance_api_internal: true
glance_api_vip: glance_api_vip:
str_replace: str_replace:
template: template:
"%{lookup('NETWORK')}" "%{lookup('NETWORK')}"
params: params:
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
glance_api_node_ips: "%{alias('glance_api_edge_node_ips')}" glance_api_internal_node_ips: "%{alias('glance_api_edge_node_ips')}"
glance_api_node_names: "%{alias('glance_api_edge_node_names')}" glance_api_internal_node_names: "%{alias('glance_api_edge_node_names')}"
- tripleo::haproxy::glance_api: false - tripleo::haproxy::glance_api_internal: false
- tripleo::haproxy::gnocchi: false - tripleo::haproxy::gnocchi: false
tripleo::haproxy::heat_api: false tripleo::haproxy::heat_api: false
tripleo::haproxy::heat_cfn: false tripleo::haproxy::heat_cfn: false

View File

@ -235,6 +235,7 @@ outputs:
nova::network::neutron::password: {get_param: NeutronPassword} nova::network::neutron::password: {get_param: NeutronPassword}
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
nova::network::neutron::valid_interfaces: 'internal' nova::network::neutron::valid_interfaces: 'internal'
nova::glance::valid_interfaces: 'internal'
nova::rabbit_heartbeat_timeout_threshold: 60 nova::rabbit_heartbeat_timeout_threshold: 60
nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL' nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL'
# NOTE(tkajinam): Make sure the default (services) is overridden # NOTE(tkajinam): Make sure the default (services) is overridden

View File

@ -31,8 +31,8 @@ parameter_defaults:
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}

View File

@ -117,6 +117,7 @@ resource_registry:
OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml
OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
OS::TripleO::Services::GlanceApiInternal: deployment/glance/glance-api-internal-container-puppet.yaml
OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml
OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml
OS::TripleO::Services::HeatEngine: deployment/heat/heat-engine-container-puppet.yaml OS::TripleO::Services::HeatEngine: deployment/heat/heat-engine-container-puppet.yaml
@ -358,6 +359,7 @@ parameter_defaults:
CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }} CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }}
GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
GlanceApiInternalNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
IronicApiNetwork: ctlplane IronicApiNetwork: ctlplane
IronicNetwork: ctlplane IronicNetwork: ctlplane
IronicInspectorNetwork: ctlplane IronicInspectorNetwork: ctlplane
@ -449,8 +451,8 @@ parameter_defaults:
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS} DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS} DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS} GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9293', host: IP_ADDRESS}
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9293', host: IP_ADDRESS}
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}

View File

@ -0,0 +1,26 @@
---
features:
- |
Two instances of the glance-api service are now deployed per the
recommendations outlined in `OSSN-0090 <https://wiki.openstack.org/wiki/OSSN/OSSN-0090>`_.
The user facing service does not provide access to image location data,
whereas a new internal glance-api service provides location data to
administrators and services that need it (e.g. cinder and nova), and is
accessible via the admin and internal keystone endpoints.
upgrade:
- |
A new OS::TripleO::Services::GlanceApiInternal service is introduced to
handle deploying the internal instance of the glance-api service. When
upgrading an overcloud deployed with a custom roles file, the new
GlanceApiInternal service must be added to every role that includes the
GlanceApi service. Roles that include the GlanceApiEdge service should not
include the new GlanceApiInternal service.
Deployment of the new internal glance-api service is generally transparent,
and includes updating glance's endpoints in the keystone catalog.
In a Distributed Compute Node (DCN) deployment, the control plane and
all DCN sites need to be updated in order to fully deploy the new internal
glance-api service.
deprecations:
- |
The GlanceShowMultipleLocations parameter is deprecated.

View File

@ -90,6 +90,7 @@
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -63,6 +63,7 @@
- OS::TripleO::Services::IpaClient - OS::TripleO::Services::IpaClient
- OS::TripleO::Services::Ipsec - OS::TripleO::Services::Ipsec
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -78,6 +78,7 @@
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -80,6 +80,7 @@
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -69,6 +69,7 @@
- OS::TripleO::Services::IpaClient - OS::TripleO::Services::IpaClient
- OS::TripleO::Services::Ipsec - OS::TripleO::Services::Ipsec
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -87,6 +87,7 @@
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -89,6 +89,7 @@
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -89,6 +89,7 @@
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -88,6 +88,7 @@
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -93,6 +93,7 @@
- OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::ExternalSwiftProxy
- OS::TripleO::Services::Frr - OS::TripleO::Services::Frr
- OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GlanceApiInternal
- OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::GnocchiStatsd

View File

@ -232,8 +232,8 @@ environments:
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}