openstack
/
tripleo-heat-templates
Code Issues Proposed changes

step1: flatten nova service configuration 

This change combines the previous puppet and docker files
into a single file that performs the docker service installation
and configuration. With this patch the baremetal version of
nova has been removed.

Change-Id: If8f4daa9127aa528a2088a978494f2d6d83106e2
This commit is contained in:
Jill Rouleau 2019-01-21 11:43:46 -07:00
parent 70296a027d
commit 2bae8cc78a
15 changed files with 316 additions and 525 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ci/environments/scenario006-multinode-containers.yaml
View File

@ -1,7 +1,7 @@
resource_registry:
OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Services::NovaIronic: ../docker/services/nova-ironic.yaml
OS::TripleO::Services::NovaIronic: ../deployment/nova/nova-ironic-container-puppet.yaml
OS::TripleO::Services::IronicApi: ../deployment/ironic/ironic-api-container-puppet.yaml
OS::TripleO::Services::IronicConductor: ../deployment/ironic/ironic-conductor-container-puppet.yaml
OS::TripleO::Services::IronicPxe: ../deployment/ironic/ironic-pxe-container-puppet.yaml

2
ci/environments/scenario012-multinode-containers.yaml
View File

@ -1,7 +1,7 @@
resource_registry:
OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml
OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml
OS::TripleO::Services::NovaIronic: ../../deployment/nova/nova-ironic-container-puppet.yaml
OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml
OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml
OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml

45
docker/services/nova-consoleauth.yaml → deployment/nova/nova-consoleauth-container-puppet.yaml
View File

@ -45,43 +45,51 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
MonitoringSubscriptionNovaConsoleauth:
default: 'overcloud-nova-consoleauth'
type: string
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
resources:
ContainersCommon:
type: ./containers-common.yaml
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaConsoleauthPuppetBase:
type: ../../puppet/services/nova-consoleauth.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaLogging:
type: OS::TripleO::Services::Logging::NovaCommon
properties:
DockerNovaImage: {get_param: DockerNovaConsoleauthImage}
NovaServiceName: 'consoleauth'
NovaBase:
type: ../../puppet/services/nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Consoleauth service.
value:
service_name: {get_attr: [NovaConsoleauthPuppetBase, role_data, service_name]}
service_name: nova_consoleauth
monitoring_subscription: {get_param: MonitoringSubscriptionNovaConsoleauth}
config_settings:
map_merge:
- {get_attr: [NovaConsoleauthPuppetBase, role_data, config_settings]}
- {get_attr: [NovaBase, role_data, config_settings]}
- {get_attr: [NovaLogging, config_settings]}
service_config_settings:
map_merge:
- get_attr: [NovaConsoleauthPuppetBase, role_data, service_config_settings]
- get_attr: [NovaBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_nova_consoleauth:
- nova
@ -94,7 +102,7 @@ outputs:
step_config:
list_join:
- "\n"
- - {get_attr: [NovaConsoleauthPuppetBase, role_data, step_config]}
- - include tripleo::profile::base::nova::consoleauth
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNovaConfigImage}
kolla_config:
@ -113,6 +121,8 @@ outputs:
- path: /var/log/nova
owner: nova:nova
recurse: true
step_config: |
include tripleo::profile::base::nova::consoleauth
docker_config:
step_4:
nova_consoleauth:
@ -128,7 +138,7 @@ outputs:
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [NovaConsoleauthPuppetBase, role_data, config_settings, 'nova::rabbit_port']}
port: {get_param: RpcPort}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@ -147,6 +157,9 @@ outputs:
persistent: yes
state: yes
upgrade_tasks:
- name: Stop nova_consoleauth service
when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped
- when: step|int == 3
block:
- name: Set fact for removal of openstack-nova-console package

34
docker/services/nova-ironic.yaml → deployment/nova/nova-ironic-container-puppet.yaml
View File

@ -40,17 +40,21 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
resources:
ContainersCommon:
type: ./containers-common.yaml
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaComputeCommon:
type: ./nova-compute-common.yaml
type: ../../docker/services/nova-compute-common.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
@ -59,8 +63,8 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaIronicBase:
type: ../../puppet/services/nova-ironic.yaml
NovaBase:
type: ../../puppet/services/nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
@ -73,15 +77,26 @@ outputs:
role_data:
description: Role data for the Nova Compute service.
value:
service_name: {get_attr: [NovaIronicBase, role_data, service_name]}
config_settings: {get_attr: [NovaIronicBase, role_data, config_settings]}
service_name: nova_ironic
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- nova::compute::force_config_drive: true
nova::compute::reserved_host_memory: '0'
nova::compute::vnc_enabled: false
nova::ironic::common::password: {get_param: IronicPassword}
nova::ironic::common::project_name: 'service'
nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::ironic::common::username: 'ironic'
nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]}
nova::network::neutron::dhcp_domain: ''
puppet_config:
config_volume: nova
puppet_tags: nova_config,nova_paste_api_ini
step_config:
list_join:
- "\n"
- - {get_attr: [NovaIronicBase, role_data, step_config]}
- - include tripleo::profile::base::nova::compute::ironic
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNovaConfigImage}
kolla_config:
@ -131,7 +146,7 @@ outputs:
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [NovaIronicBase, role_data, config_settings, 'nova::rabbit_port']}
port: {get_attr: [NovaBase, role_data, config_settings, 'nova::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@ -184,6 +199,9 @@ outputs:
persistent: yes
state: yes
upgrade_tasks:
- name: Stop openstack-nova-compute service
when: step|int == 1
service: name=openstack-nova-compute state=stopped enabled=no
- when: step|int == 3
block:
- name: Set fact for removal of openstack-nova-compute package

124
docker/services/nova-metadata.yaml → deployment/nova/nova-metadata-container-puppet.yaml
View File

@ -48,40 +48,73 @@ parameters:
default: false
description: When true we create the NAT rule for the metadata service
type: boolean
NovaWorkers:
default: 0
description: Number of workers for Nova services.
type: number
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
MonitoringSubscriptionNovaMetadata:
default: 'overcloud-nova-metadata'
type: string
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
need_metadata_nat_rule: {equals: [{get_param: MetadataNATRule}, true]}
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ContainersCommon:
type: ./containers-common.yaml
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaMetadataBase:
type: ../../puppet/services/nova-metadata.yaml
NovaMetadataLogging:
type: OS::TripleO::Services::Logging::NovaMetadata
ApacheServiceBase:
type: ../../puppet/services/apache.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
NovaMetadataLogging:
type: OS::TripleO::Services::Logging::NovaMetadata
NovaBase:
type: ../../puppet/services/nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Metadata service.
value:
service_name: {get_attr: [NovaMetadataBase, role_data, service_name]}
service_name: nova_metadata
config_settings:
map_merge:
- get_attr: [NovaMetadataBase, role_data, config_settings]
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- tripleo::nova_metadata::firewall_rules:
@ -98,14 +131,71 @@ outputs:
extras:
toports: 8775
- {}
- tripleo::nova_placement::firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
nova::metadata::enable_proxy_headers_parsing: true
nova_metadata_wsgi_enabled: true
nova::wsgi::apache_metadata::api_port: '8775'
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::wsgi::apache_metadata::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::wsgi::apache_metadata::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
-
if:
- nova_workers_zero
- {}
- nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
-
if:
- is_neutron_shared_metadata_notempty
- nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
service_config_settings:
map_merge:
- get_attr: [NovaMetadataBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_nova_metadata:
- nova
tripleo_fluentd_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
fluentd:
tripleo_fluentd_groups_nova_metadata:
- nova
tripleo_fluentd_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
keystone:
nova::keystone::auth::tenant: 'service'
nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
nova::keystone::auth::password: {get_param: NovaPassword}
nova::keystone::auth::region: {get_param: KeystoneRegion}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
- nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
step_config: |
include tripleo::profile::base::nova::metadata
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova_metadata
@ -113,7 +203,7 @@ outputs:
step_config:
list_join:
- "\n"
- - {get_attr: [NovaMetadataBase, role_data, step_config]}
- - include tripleo::profile::base::nova::metadata
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNovaMetadataConfigImage}
kolla_config:
@ -163,8 +253,6 @@ outputs:
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NovaMetadataBase, role_data, metadata_settings]
host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
post_upgrade_tasks:
- when: step|int == 1

47
docker/services/nova-migration-target.yaml → deployment/nova/nova-migration-target-container-puppet.yaml
View File

@ -68,7 +68,7 @@ conditions:
resources:
ContainersCommon:
type: ./containers-common.yaml
type: ../../docker/services/containers-common.yaml
SshdBase:
type: ../../deployment/sshd/sshd-baremetal-puppet.yaml
@ -79,15 +79,6 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaMigrationTargetBase:
type: ../../puppet/services/nova-migration-target.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Migration Target service.
@ -96,7 +87,39 @@ outputs:
config_settings:
map_merge:
- get_attr: [SshdBase, role_data, config_settings]
- get_attr: [NovaMigrationTargetBase, role_data, config_settings]
- tripleo::profile::base::nova::migration::target::ssh_authorized_keys:
- {get_param: [ MigrationSshKey, public_key ]}
tripleo::profile::base::nova::migration::target::ssh_localaddrs:
- "%{hiera('cold_migration_ssh_inbound_addr')}"
- "%{hiera('live_migration_ssh_inbound_addr')}"
live_migration_ssh_inbound_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEHostnameResolveNetwork"
params:
ROLENAME: {get_param: RoleName}
cold_migration_ssh_inbound_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::profile::base::sshd::port:
- 22
- {get_param: MigrationSshPort}
tripleo::nova_migration_target::firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
step_config: |
include tripleo::profile::base::nova::migration::target
# NB this prevents the baremetal ssh from listening on port 2022
# It doesn't affect the sshd port in the container as we override it below on the sshd cli
- tripleo::profile::base::sshd::port: 22
@ -112,7 +135,7 @@ outputs:
list_join:
- "\n"
- - get_attr: [SshdBase, role_data, step_config]
- get_attr: [NovaMigrationTargetBase, role_data, step_config]
- include tripleo::profile::base::nova::migration::target
config_image: {get_param: DockerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova-migration-target.json:

130
docker/services/nova-vnc-proxy.yaml → deployment/nova/nova-vnc-proxy-container-puppet.yaml
View File

@ -86,47 +86,121 @@ conditions:
- {get_param: LibvirtVncCACert}
- ''
allow_noauth:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
resources:
ContainersCommon:
type: ./containers-common.yaml
type: ../../docker/services/containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaVncProxyPuppetBase:
type: ../../puppet/services/nova-vnc-proxy.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaLogging:
type: OS::TripleO::Services::Logging::NovaCommon
properties:
DockerNovaImage: {get_param: DockerNovaVncProxyImage}
NovaServiceName: 'vncproxy'
NovaBase:
type: ../../puppet/services/nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Vncproxy service.
value:
service_name: {get_attr: [NovaVncProxyPuppetBase, role_data, service_name]}
service_name: nova_vnc_proxy
config_settings:
map_merge:
- {get_attr: [NovaVncProxyPuppetBase, role_data, config_settings]}
- {get_attr: [NovaLogging, config_settings]}
- nova::vncproxy::enabled: true
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]}
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]}
nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::vncproxy::host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::nova_vnc_proxy::firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
-
if:
- use_tls_for_vnc
-
nova::vncproxy::allow_vencrypt: true
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
nova::ssl_only: true
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
nova::key: /etc/pki/tls/private/novnc_proxy.key
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-client-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
notify_service: '%{::nova::params::vncproxy_service_name}'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
principal:
str_replace:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
- {}
service_config_settings:
map_merge:
- get_attr: [NovaVncProxyPuppetBase, role_data, service_config_settings]
- fluentd:
tripleo_fluentd_groups_nova_vnc_proxy:
- nova
tripleo_fluentd_sources_nova_vnc_proxy:
- {get_param: NovaVncproxyLoggingSource}
fluentd:
tripleo_fluentd_groups_nova_vnc_proxy:
- nova
tripleo_fluentd_sources_nova_vnc_proxy:
- {get_param: NovaVncproxyLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova
@ -134,7 +208,7 @@ outputs:
step_config:
list_join:
- "\n"
- - {get_attr: [NovaVncProxyPuppetBase, role_data, step_config]}
- - include tripleo::profile::base::nova::vncproxy
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNovaConfigImage}
kolla_config:
@ -196,9 +270,21 @@ outputs:
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings]
if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: novnc-proxy
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
type: node
- null
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
upgrade_tasks:
- name: Stop nova_vnc_proxy service
when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped
- when: step|int == 3
block:
- name: Set fact for removal of openstack-nova-novncproxy package

8
environments/baremetal-services.yaml
View File

@ -40,13 +40,13 @@ resource_registry:
OS::TripleO::Services::NovaApi: ../puppet/services/nova-api.yaml
OS::TripleO::Services::NovaCompute: ../puppet/services/nova-compute.yaml
OS::TripleO::Services::NovaConductor: ../puppet/services/nova-conductor.yaml
OS::TripleO::Services::NovaConsoleauth: ../puppet/services/nova-consoleauth.yaml
OS::TripleO::Services::NovaConsoleauth: ../deployment/nova/nova-consoleauth.yaml
OS::TripleO::Services::NovaLibvirt: ../puppet/services/nova-libvirt.yaml
OS::TripleO::Services::NovaMetadata: ../puppet/services/nova-metadata.yaml
OS::TripleO::Services::NovaMigrationTarget: ../puppet/services/nova-migration-target.yaml
OS::TripleO::Services::NovaMetadata: ../deployment/nova/nova-metadata-container-puppet.yaml
OS::TripleO::Services::NovaMigrationTarget: ../deployment/nova/nova-migration-target-container-puppet.yaml
OS::TripleO::Services::NovaPlacement: ../puppet/services/nova-placement.yaml
OS::TripleO::Services::NovaScheduler: ../puppet/services/nova-scheduler.yaml
OS::TripleO::Services::NovaVncProxy: ../puppet/services/nova-vnc-proxy.yaml
OS::TripleO::Services::NovaVncProxy: ../deployment/nova/nova-vnc-proxy-container-puppet.yaml
OS::TripleO::Services::PankoApi: ../deployment/panko/panko-api-container-puppet.yaml
OS::TripleO::Services::Qdr: OS::Heat::None
OS::TripleO::Services::RabbitMQ: ../puppet/services/rabbitmq.yaml

2
environments/computealt.yaml
View File

@ -10,7 +10,7 @@ resource_registry:
OS::TripleO::Services::IscsidAlt: ../deployment/iscsid/iscsid-container-puppet.yaml
OS::TripleO::Services::NovaComputeAlt: ../puppet/services/nova-compute.yaml
OS::TripleO::Services::NovaLibvirtAlt: ../puppet/services/nova-libvirt.yaml
OS::TripleO::Services::NovaMigrationTargetAlt: ../puppet/services/nova-migration-target.yaml
OS::TripleO::Services::NovaMigrationTargetAlt: ../deployment/nova/nova-migration-target-container-puppet.yaml
OS::TripleO::Services::SensuClientAlt: OS::Heat::None
# If enabling monitoring you'll need provide the following in a specific resource_registry
# OS::TripleO::Services::SensuClientAlt: ../puppet/services/monitoring/sensu-client.yaml

2
environments/services/ironic.yaml
View File

@ -5,5 +5,5 @@ resource_registry:
OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml
OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml
OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml
OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml
OS::TripleO::Services::NovaIronic: ../../deployment/nova/nova-ironic-container-puppet.yaml
OS::TripleO::Services::IronicNeutronAgent: ../../deployment/ironic/ironic-neutron-agent-container-puppet.yaml

8
overcloud-resource-registry-puppet.j2.yaml
View File

@ -194,14 +194,14 @@ resource_registry:
OS::TripleO::Services::NovaApi: docker/services/nova-api.yaml
OS::TripleO::Services::NovaCompute: docker/services/nova-compute.yaml
OS::TripleO::Services::NovaConductor: docker/services/nova-conductor.yaml
OS::TripleO::Services::NovaConsoleauth: docker/services/nova-consoleauth.yaml
OS::TripleO::Services::NovaConsoleauth: deployment/nova/nova-consoleauth-container-puppet.yaml
OS::TripleO::Services::NovaLibvirt: docker/services/nova-libvirt.yaml
OS::TripleO::Services::NovaLibvirtGuests: puppet/services/nova-libvirt-guests.yaml
OS::TripleO::Services::NovaMetadata: docker/services/nova-metadata.yaml
OS::TripleO::Services::NovaMigrationTarget: docker/services/nova-migration-target.yaml
OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml
OS::TripleO::Services::NovaMigrationTarget: deployment/nova/nova-migration-target-container-puppet.yaml
OS::TripleO::Services::NovaPlacement: docker/services/nova-placement.yaml
OS::TripleO::Services::NovaScheduler: docker/services/nova-scheduler.yaml
OS::TripleO::Services::NovaVncProxy: docker/services/nova-vnc-proxy.yaml
OS::TripleO::Services::NovaVncProxy: deployment/nova/nova-vnc-proxy-container-puppet.yaml
OS::TripleO::Services::Novajoin: OS::Heat::None
OS::TripleO::Services::ContainersLogrotateCrond: docker/services/logrotate-crond.yaml
OS::TripleO::Services::OpenShift::Master: OS::Heat::None

72
puppet/services/nova-consoleauth.yaml
View File

@ -1,72 +0,0 @@
heat_template_version: rocky
description: >
OpenStack Nova Consoleauth service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
MonitoringSubscriptionNovaConsoleauth:
default: 'overcloud-nova-consoleauth'
type: string
NovaConsoleauthLoggingSource:
type: json
default:
tag: openstack.nova.consoleauth
path: /var/log/nova/nova-consoleauth.log
resources:
NovaBase:
type: ./nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Consoleauth service.
value:
service_name: nova_consoleauth
monitoring_subscription: {get_param: MonitoringSubscriptionNovaConsoleauth}
config_settings:
get_attr: [NovaBase, role_data, config_settings]
service_config_settings:
fluentd:
tripleo_fluentd_groups_nova_consoleauth:
- nova
tripleo_fluentd_sources_nova_consoleauth:
- {get_param: NovaConsoleauthLoggingSource}
step_config: |
include tripleo::profile::base::nova::consoleauth
upgrade_tasks:
- name: Stop nova_consoleauth service
when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped

71
puppet/services/nova-ironic.yaml
View File

@ -1,71 +0,0 @@
heat_template_version: rocky
description: >
OpenStack Nova Compute service configured with Puppet and using Ironic
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
resources:
NovaBase:
type: ./nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Compute service with Ironic.
value:
service_name: nova_ironic
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- nova::compute::force_config_drive: true
nova::compute::reserved_host_memory: '0'
nova::compute::vnc_enabled: false
nova::ironic::common::password: {get_param: IronicPassword}
nova::ironic::common::project_name: 'service'
nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::ironic::common::username: 'ironic'
nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]}
nova::network::neutron::dhcp_domain: ''
step_config: |
include tripleo::profile::base::nova::compute::ironic
upgrade_tasks:
- name: Stop openstack-nova-compute service
when: step|int == 1
service: name=openstack-nova-compute state=stopped enabled=no

84
puppet/services/nova-migration-target.yaml
View File

@ -1,84 +0,0 @@
heat_template_version: rocky
description: >
OpenStack Nova migration target configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
MigrationSshKey:
type: json
description: >
SSH key for migration.
Expects a dictionary with keys 'public_key' and 'private_key'.
Values should be identical to SSH public/private key files.
default:
public_key: ''
private_key: ''
MigrationSshPort:
default: 2022
description: Target port for migration over ssh
type: number
outputs:
role_data:
description: Role data for the Nova migration target service.
value:
service_name: nova_migration_target
config_settings:
tripleo::profile::base::nova::migration::target::ssh_authorized_keys:
- {get_param: [ MigrationSshKey, public_key ]}
tripleo::profile::base::nova::migration::target::ssh_localaddrs:
- "%{hiera('cold_migration_ssh_inbound_addr')}"
- "%{hiera('live_migration_ssh_inbound_addr')}"
live_migration_ssh_inbound_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK:
get_param:
- ServiceNetMap
- str_replace:
template: "ROLENAMEHostnameResolveNetwork"
params:
ROLENAME: {get_param: RoleName}
cold_migration_ssh_inbound_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::profile::base::sshd::port:
- 22
- {get_param: MigrationSshPort}
tripleo::nova_migration_target::firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
step_config: |
include tripleo::profile::base::nova::migration::target

210
puppet/services/nova-vnc-proxy.yaml
View File

@ -1,210 +0,0 @@
heat_template_version: rocky
description: >
OpenStack Nova Vncproxy service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
StackUpdateType:
type: string
description: >
Type of update, to differentiate between UPGRADE and UPDATE cases
when StackAction is UPDATE (both are the same stack action).
constraints:
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
default: ''
MonitoringSubscriptionNovaVNCProxy:
default: 'overcloud-nova-vncproxy'
type: string
NovaVncproxyLoggingSource:
type: json
default:
tag: openstack.nova.vncproxy
path: /var/log/nova/nova-vncproxy.log
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
allow_noauth:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
resources:
NovaBase:
type: ./nova-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Vncproxy service.
value:
service_name: nova_vnc_proxy
monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- nova::vncproxy::enabled: true
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]}
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]}
nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::vncproxy::host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::nova_vnc_proxy::firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
-
if:
- use_tls_for_vnc
-
nova::vncproxy::allow_vencrypt: true
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
nova::ssl_only: true
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
nova::key: /etc/pki/tls/private/novnc_proxy.key
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-client-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
notify_service: '%{::nova::params::vncproxy_service_name}'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
principal:
str_replace:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
postsave_cmd: "/usr/bin/certmonger-novnc-proxy-refresh.sh"
- {}
service_config_settings:
fluentd:
tripleo_fluentd_groups_nova_vnc_proxy:
- nova
tripleo_fluentd_sources_nova_vnc_proxy:
- {get_param: NovaVncproxyLoggingSource}
step_config: |
include tripleo::profile::base::nova::vncproxy
upgrade_tasks:
- name: Stop nova_vnc_proxy service
when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped
metadata_settings:
if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: novnc-proxy
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
type: node
- null