From a2a6ddab59e60ba977ac85b9881530ae3b5bb0c7 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Wed, 8 Apr 2020 21:04:49 +0100 Subject: [PATCH] Refactor nova db config It is best to avoid placing db creds on the compute nodes to limit the exposure if an attacker succeeds in gaining access to the hypervisor host. Related patches in puppet-nova remove the credentials from nova.conf however the current scope of db credential hieradata is all nova tripleo services - so it will but written to the hieradata keys on compute nodes. This patch refactors the nova hieradata structure, splitting the nova-api/nova database hieradata out into individual templates and selectively including only where necessary, ensuring we have no db creds on a compute node (unless it is an all-in-one api+compute node). Conflicts: deployment/nova/nova-manager-container-puppet.yaml deployment/nova/nova-compute-common-container-puppet.yaml Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a Closes-bug: #1871482 (cherry picked from commit 9d82364de8d6d1fba083993e085fb8cafcc08268) --- .../nova/nova-api-container-puppet.yaml | 38 +++++-- deployment/nova/nova-apidb-client-puppet.yaml | 78 +++++++++++++ deployment/nova/nova-base-puppet.yaml | 72 +----------- .../nova-compute-common-container-puppet.yaml | 22 ++-- .../nova/nova-compute-container-puppet.yaml | 19 +--- .../nova/nova-conductor-container-puppet.yaml | 60 +++++++--- deployment/nova/nova-db-client-puppet.yaml | 80 +++++++++++++ .../nova/nova-ironic-container-puppet.yaml | 13 +-- .../nova/nova-libvirt-container-puppet.yaml | 11 +- .../nova/nova-manager-container-puppet.yaml | 105 ++++++++++++++++++ .../nova/nova-metadata-container-puppet.yaml | 45 ++++++-- .../nova/nova-scheduler-container-puppet.yaml | 31 +++++- .../nova/nova-vnc-proxy-container-puppet.yaml | 19 +++- 13 files changed, 449 insertions(+), 144 deletions(-) create mode 100644 deployment/nova/nova-apidb-client-puppet.yaml create mode 100644 deployment/nova/nova-db-client-puppet.yaml create mode 100644 deployment/nova/nova-manager-container-puppet.yaml diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index f4c9cf5caf..8c1751c78f 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -160,6 +160,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova API role. @@ -188,6 +209,8 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] - get_attr: [NovaApiLogging, config_settings] - apache::default_vhost: false nova::keystone::authtoken::project_name: 'service' @@ -240,19 +263,14 @@ outputs: nova::wsgi::apache_api::workers: {get_param: NovaWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_api: - {get_param: NovaApiLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova diff --git a/deployment/nova/nova-apidb-client-puppet.yaml b/deployment/nova/nova-apidb-client-puppet.yaml new file mode 100644 index 0000000000..604a677fc4 --- /dev/null +++ b/deployment/nova/nova-apidb-client-puppet.yaml @@ -0,0 +1,78 @@ +heat_template_version: rocky + +description: > + OpenStack Nova database client service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + EnableSQLAlchemyCollectd: + type: boolean + description: > + Set to true to enable the SQLAlchemy-collectd server plugin + default: false + +conditions: + enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + +outputs: + role_data: + description: Role data for the Nova base service. + value: + config_settings: + nova::api_database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova_api + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova_api + query: + if: + - enable_sqlalchemy_collectd + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: nova_api + collectd_host: localhost + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + service_config_settings: + mysql: + nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index d9fa5ce5f3..d0d5bd53f6 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -63,10 +63,6 @@ parameters: default: 'br-int' description: Name of integration bridge used by Open vSwitch type: string - DatabaseSyncTimeout: - default: 300 - description: DB Sync Timeout default - type: number Debug: type: boolean default: false @@ -298,66 +294,6 @@ outputs: nova::placement::region_name: {get_param: KeystoneRegion} nova::placement::valid_interfaces: {get_param: PlacementAPIInterface} nova::os_region_name: {get_param: KeystoneRegion} - nova::database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]} - username: nova - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlCellInternal, host]} - path: /nova - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - - nova::cell0_database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} - username: nova - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlInternal, host]} - path: /nova_cell0 - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova_cell0 - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - - nova::api_database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} - username: nova_api - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlInternal, host]} - path: /nova_api - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova_api - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - nova::logging::debug: if: - service_debug_unset @@ -379,8 +315,6 @@ outputs: nova::network::neutron::auth_type: 'v3password' nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 - nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} - nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout} nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge} nova::cache::enabled: true nova::cache::backend: 'dogpile.cache.memcached' @@ -424,9 +358,5 @@ outputs: - {} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} service_config_settings: - mysql: - # NOTE(aschultz): this should be configurable if/when we support more - # complex cell v2 configurations. For now, this is the default cell - # created for the cell v2 configuration - nova::db::mysql_api::setup_cell0: true + rabbitmq: nova::rabbit_use_ssl: {get_param: RpcUseSSL} diff --git a/deployment/nova/nova-compute-common-container-puppet.yaml b/deployment/nova/nova-compute-common-container-puppet.yaml index 0e522afd7b..f6dd0b1060 100644 --- a/deployment/nova/nova-compute-common-container-puppet.yaml +++ b/deployment/nova/nova-compute-common-container-puppet.yaml @@ -61,19 +61,27 @@ outputs: - not nova_additional_cell|bool - nova_cellv2_discovery_done is not defined block: - - name: discover via nova_compute? + - name: discover via nova_manager? set_fact: - nova_cellv2_discovery_delegate_host: "{{ groups['nova_compute'][0] }}" + nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}" + nova_cellv2_discovery_container: nova_manager when: - - groups['nova_compute'] is defined and (groups['nova_compute']|length>0) - - name: discover via nova_ironic? + - groups['nova_manager'] is defined and (groups['nova_manager']|length>0) + - name: discover via nova_api? set_fact: - nova_cellv2_discovery_delegate_host: "{{ groups['nova_ironic'][0] }}" + nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}" + nova_cellv2_discovery_container: nova_api + when: + - nova_cellv2_discovery_delegate_host is not defined + - groups['nova_api'] is defined and (groups['nova_api']|length>0) + - name: Warn if no discovery host available + fail: + msg: 'No hosts available to run nova cell_v2 host discovery.' + ignore_errors: yes when: - nova_cellv2_discovery_delegate_host is not defined - - groups['nova_ironic'] is defined and (groups['nova_ironic']|length>0) - name: Discovering nova hosts - command: "{{ container_cli }} exec nova_compute nova-manage cell_v2 discover_hosts --by-service" + command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service" become: true changed_when: false delegate_to: '{{ nova_cellv2_discovery_delegate_host }}' diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 0dcabf56fb..0e09d9a993 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -538,16 +538,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaComputeCommon: type: ./nova-compute-common-container-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -851,14 +848,11 @@ outputs: puppet_config: config_volume: nova_libvirt puppet_tags: nova_config,nova_paste_api_ini - step_config: - list_join: - - "\n" - - - # TODO(emilien): figure how to deal with libvirt profile. - # We'll probably treat it like we do with Neutron plugins. - # Until then, just include it in the default nova-compute role. - include tripleo::profile::base::nova::compute::libvirt - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + # TODO(emilien): figure how to deal with libvirt profile. + # We'll probably treat it like we do with Neutron plugins. + # Until then, just include it in the default nova-compute role. + include tripleo::profile::base::nova::compute::libvirt config_image: {get_param: ContainerNovaLibvirtConfigImage} kolla_config: /var/lib/kolla/config_files/nova_compute.json: @@ -984,7 +978,6 @@ outputs: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro - /var/log/containers/nova:/var/log/nova - /var/lib/container-config-scripts/:/container-config-scripts/ diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml index 401c007e8f..c215cd68bc 100644 --- a/deployment/nova/nova-conductor-container-puppet.yaml +++ b/deployment/nova/nova-conductor-container-puppet.yaml @@ -58,9 +58,14 @@ parameters: description: The password for the nova service and db account type: string hidden: true + NovaAdditionalCell: + default: false + description: Whether this is an cell additional to the default cell. + type: boolean conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + is_not_additional_cell: {equals: [{get_param: NovaAdditionalCell}, false]} resources: @@ -86,6 +91,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Conductor service. @@ -94,27 +120,28 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor} config_settings: map_merge: - - {get_attr: [NovaBase, role_data, config_settings]} - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell + # however cell conductor currently requires api db access for affinity checks + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - if: - nova_workers_zero - {} - nova::conductor::workers: {get_param: NovaWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell + # however cell conductor currently requires api db access for affinity checks + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_conductor: - {get_param: NovaConductorLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql::password: {get_param: NovaPassword} - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova @@ -158,7 +185,14 @@ outputs: - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro user: root - command: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'" + command: + str_replace: + template: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync DB_SYNC_ARGS'" + params: + if: + - is_not_additional_cell + - DB_SYNC_ARGS: "" + - DB_SYNC_ARGS: "--local_cell" environment: TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: diff --git a/deployment/nova/nova-db-client-puppet.yaml b/deployment/nova/nova-db-client-puppet.yaml new file mode 100644 index 0000000000..db16a4e857 --- /dev/null +++ b/deployment/nova/nova-db-client-puppet.yaml @@ -0,0 +1,80 @@ +heat_template_version: rocky + +description: > + OpenStack Nova database client service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + EnableSQLAlchemyCollectd: + type: boolean + description: > + Set to true to enable the SQLAlchemy-collectd server plugin + default: false + +conditions: + enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + +outputs: + role_data: + description: Role data for the Nova base service. + value: + config_settings: + nova::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]} + username: nova + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlCellInternal, host]} + path: /nova + query: + if: + - enable_sqlalchemy_collectd + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: nova + collectd_host: localhost + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + service_config_settings: + mysql: + nova::db::mysql::password: {get_param: NovaPassword} + nova::db::mysql::user: nova + nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} + nova::db::mysql::dbname: nova + nova::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + + diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml index 7364ae655f..5bd4a9c9ae 100644 --- a/deployment/nova/nova-ironic-container-puppet.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -83,16 +83,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaComputeCommon: type: ./nova-compute-common-container-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -106,6 +103,7 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Nova Compute service. @@ -131,11 +129,8 @@ outputs: puppet_config: config_volume: nova puppet_tags: nova_config,nova_paste_api_ini - step_config: - list_join: - - "\n" - - - include tripleo::profile::base::nova::compute::ironic - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + include tripleo::profile::base::nova::compute::ironic config_image: {get_param: ContainerNovaConfigImage} kolla_config: /var/lib/kolla/config_files/nova_ironic.json: diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 816682b4d2..a3fcd8f559 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -346,9 +346,6 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaLibvirtLogging: type: OS::TripleO::Services::Logging::NovaLibvirt @@ -362,6 +359,7 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Libvirt service. @@ -564,11 +562,8 @@ outputs: puppet_config: config_volume: nova_libvirt puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password - step_config: - list_join: - - "\n" - - - include tripleo::profile::base::nova::libvirt - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + include tripleo::profile::base::nova::libvirt config_image: {get_param: ContainerNovaLibvirtConfigImage} kolla_config: /var/lib/kolla/config_files/nova_libvirt.json: diff --git a/deployment/nova/nova-manager-container-puppet.yaml b/deployment/nova/nova-manager-container-puppet.yaml new file mode 100644 index 0000000000..7d5da2d2ef --- /dev/null +++ b/deployment/nova/nova-manager-container-puppet.yaml @@ -0,0 +1,105 @@ +heat_template_version: rocky + +description: > + OpenStack containerized nova-manage runner service + +parameters: + ContainerNovaConductorImage: + description: image + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + + +resources: + + # Cannot control nova-manage logging so expect it to log to file + NovaLogging: + type: ../logging/files/nova-common.yaml + properties: + ContainerNovaImage: &nova_conductor_image {get_param: ContainerNovaConductorImage} + NovaServiceName: 'manager' + + ContainersCommon: + type: ../containers-common.yaml + + NovaConductorBase: + type: ./nova-conductor-container-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + +outputs: + role_data: + description: Role data for the nova-manage runner service. + value: + service_name: nova_manager + config_settings: + get_attr: [NovaConductorBase, role_data, config_settings] + service_config_settings: + mysql: + get_attr: [NovaConductorBase, role_data, service_config_settings, mysql] + # BEGIN DOCKER SETTINGS + puppet_config: + get_attr: [NovaConductorBase, role_data, puppet_config] + kolla_config: + /var/lib/kolla/config_files/nova_manager.json: + command: "/bin/sleep infinity" + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true + docker_config: + step_2: + get_attr: [NovaLogging, docker_config, step_2] + step_4: + nova_manager: + image: *nova_conductor_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - {get_attr: [NovaLogging, volumes]} + - + - /var/lib/kolla/config_files/nova_manager.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro + environment: + KOLLA_CONFIG_STRATEGY: COPY_ALWAYS + host_prep_tasks: + get_attr: [NovaLogging, host_prep_tasks] diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index 3824d1703c..bee6a46873 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -81,6 +81,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}} + is_not_cell_local: {equals: [{get_param: NovaLocalMetadataPerCell}, false]} resources: @@ -114,6 +115,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Metadata service. @@ -128,6 +150,11 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] + - if: + - is_not_cell_local + - get_attr: [NovaApiDBClient, role_data, config_settings] + - {} + - get_attr: [NovaDBClient, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [NovaMetadataLogging, config_settings] - apache::default_vhost: false @@ -168,19 +195,17 @@ outputs: - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - {} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - if: + - is_not_cell_local + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - {} + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_metadata: - {get_param: NovaMetadataLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova_metadata diff --git a/deployment/nova/nova-scheduler-container-puppet.yaml b/deployment/nova/nova-scheduler-container-puppet.yaml index 234c8143df..7ad3b8f774 100644 --- a/deployment/nova/nova-scheduler-container-puppet.yaml +++ b/deployment/nova/nova-scheduler-container-puppet.yaml @@ -142,6 +142,26 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + outputs: role_data: @@ -151,8 +171,10 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler} config_settings: map_merge: - - {get_attr: [NovaBase, role_data, config_settings]} - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} nova::scheduler::filter::scheduler_max_attempts: {get_param: NovaSchedulerMaxAttempts} @@ -168,6 +190,11 @@ outputs: - {} - nova::scheduler::workers: {get_param: NovaSchedulerWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_scheduler: - {get_param: NovaSchedulerLoggingSource} diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index c8b4479f7a..276d44d2ce 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -138,6 +138,17 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Vncproxy service. @@ -150,7 +161,9 @@ outputs: - 13080 config_settings: map_merge: - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - nova::vncproxy::enabled: true nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyCellPublic, protocol]} nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyCellPublic, host_nobrackets]} @@ -226,6 +239,10 @@ outputs: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - {} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_vnc_proxy: - {get_param: NovaVncproxyLoggingSource}