From 2bae8cc78a9191b6dbe7cdb94fc9e4d5f04b9614 Mon Sep 17 00:00:00 2001 From: Jill Rouleau Date: Mon, 21 Jan 2019 11:43:46 -0700 Subject: [PATCH] step1: flatten nova service configuration This change combines the previous puppet and docker files into a single file that performs the docker service installation and configuration. With this patch the baremetal version of nova has been removed. Change-Id: If8f4daa9127aa528a2088a978494f2d6d83106e2 --- .../scenario006-multinode-containers.yaml | 2 +- .../scenario012-multinode-containers.yaml | 2 +- .../nova-consoleauth-container-puppet.yaml | 45 ++-- .../nova/nova-ironic-container-puppet.yaml | 34 ++- .../nova/nova-metadata-container-puppet.yaml | 124 +++++++++-- ...ova-migration-target-container-puppet.yaml | 47 +++- .../nova/nova-vnc-proxy-container-puppet.yaml | 130 +++++++++-- environments/baremetal-services.yaml | 8 +- environments/computealt.yaml | 2 +- environments/services/ironic.yaml | 2 +- overcloud-resource-registry-puppet.j2.yaml | 8 +- puppet/services/nova-consoleauth.yaml | 72 ------ puppet/services/nova-ironic.yaml | 71 ------ puppet/services/nova-migration-target.yaml | 84 ------- puppet/services/nova-vnc-proxy.yaml | 210 ------------------ 15 files changed, 316 insertions(+), 525 deletions(-) rename docker/services/nova-consoleauth.yaml => deployment/nova/nova-consoleauth-container-puppet.yaml (86%) rename docker/services/nova-ironic.yaml => deployment/nova/nova-ironic-container-puppet.yaml (85%) rename docker/services/nova-metadata.yaml => deployment/nova/nova-metadata-container-puppet.yaml (53%) rename docker/services/nova-migration-target.yaml => deployment/nova/nova-migration-target-container-puppet.yaml (76%) rename docker/services/nova-vnc-proxy.yaml => deployment/nova/nova-vnc-proxy-container-puppet.yaml (62%) delete mode 100644 puppet/services/nova-consoleauth.yaml delete mode 100644 puppet/services/nova-ironic.yaml delete mode 100644 puppet/services/nova-migration-target.yaml delete mode 100644 puppet/services/nova-vnc-proxy.yaml diff --git a/ci/environments/scenario006-multinode-containers.yaml b/ci/environments/scenario006-multinode-containers.yaml index 15a7e32d25..6ee5cd5220 100644 --- a/ci/environments/scenario006-multinode-containers.yaml +++ b/ci/environments/scenario006-multinode-containers.yaml @@ -1,7 +1,7 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Services::NovaIronic: ../docker/services/nova-ironic.yaml + OS::TripleO::Services::NovaIronic: ../deployment/nova/nova-ironic-container-puppet.yaml OS::TripleO::Services::IronicApi: ../deployment/ironic/ironic-api-container-puppet.yaml OS::TripleO::Services::IronicConductor: ../deployment/ironic/ironic-conductor-container-puppet.yaml OS::TripleO::Services::IronicPxe: ../deployment/ironic/ironic-pxe-container-puppet.yaml diff --git a/ci/environments/scenario012-multinode-containers.yaml b/ci/environments/scenario012-multinode-containers.yaml index d635e36431..71cc7fe718 100644 --- a/ci/environments/scenario012-multinode-containers.yaml +++ b/ci/environments/scenario012-multinode-containers.yaml @@ -1,7 +1,7 @@ resource_registry: OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml + OS::TripleO::Services::NovaIronic: ../../deployment/nova/nova-ironic-container-puppet.yaml OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml diff --git a/docker/services/nova-consoleauth.yaml b/deployment/nova/nova-consoleauth-container-puppet.yaml similarity index 86% rename from docker/services/nova-consoleauth.yaml rename to deployment/nova/nova-consoleauth-container-puppet.yaml index 24bacdc7b4..985c8bf3dd 100644 --- a/docker/services/nova-consoleauth.yaml +++ b/deployment/nova/nova-consoleauth-container-puppet.yaml @@ -45,43 +45,51 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + MonitoringSubscriptionNovaConsoleauth: + default: 'overcloud-nova-consoleauth' + type: string + RpcPort: + default: 5672 + description: The network port for messaging backend + type: number resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml MySQLClient: type: ../../deployment/database/mysql-client.yaml - NovaConsoleauthPuppetBase: - type: ../../puppet/services/nova-consoleauth.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - NovaLogging: type: OS::TripleO::Services::Logging::NovaCommon properties: DockerNovaImage: {get_param: DockerNovaConsoleauthImage} NovaServiceName: 'consoleauth' + NovaBase: + type: ../../puppet/services/nova-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Nova Consoleauth service. value: - service_name: {get_attr: [NovaConsoleauthPuppetBase, role_data, service_name]} + service_name: nova_consoleauth + monitoring_subscription: {get_param: MonitoringSubscriptionNovaConsoleauth} config_settings: map_merge: - - {get_attr: [NovaConsoleauthPuppetBase, role_data, config_settings]} + - {get_attr: [NovaBase, role_data, config_settings]} - {get_attr: [NovaLogging, config_settings]} service_config_settings: map_merge: - - get_attr: [NovaConsoleauthPuppetBase, role_data, service_config_settings] + - get_attr: [NovaBase, role_data, service_config_settings] - fluentd: tripleo_fluentd_groups_nova_consoleauth: - nova @@ -94,7 +102,7 @@ outputs: step_config: list_join: - "\n" - - - {get_attr: [NovaConsoleauthPuppetBase, role_data, step_config]} + - - include tripleo::profile::base::nova::consoleauth - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerNovaConfigImage} kolla_config: @@ -113,6 +121,8 @@ outputs: - path: /var/log/nova owner: nova:nova recurse: true + step_config: | + include tripleo::profile::base::nova::consoleauth docker_config: step_4: nova_consoleauth: @@ -128,7 +138,7 @@ outputs: - yaql: expression: str($.data.port) data: - port: {get_attr: [NovaConsoleauthPuppetBase, role_data, config_settings, 'nova::rabbit_port']} + port: {get_param: RpcPort} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -147,6 +157,9 @@ outputs: persistent: yes state: yes upgrade_tasks: + - name: Stop nova_consoleauth service + when: step|int == 1 + service: name=openstack-nova-consoleauth state=stopped - when: step|int == 3 block: - name: Set fact for removal of openstack-nova-console package diff --git a/docker/services/nova-ironic.yaml b/deployment/nova/nova-ironic-container-puppet.yaml similarity index 85% rename from docker/services/nova-ironic.yaml rename to deployment/nova/nova-ironic-container-puppet.yaml index 3100e00d89..77fbb6a426 100644 --- a/docker/services/nova-ironic.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -40,17 +40,21 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml MySQLClient: type: ../../deployment/database/mysql-client.yaml NovaComputeCommon: - type: ./nova-compute-common.yaml + type: ../../docker/services/nova-compute-common.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} @@ -59,8 +63,8 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} - NovaIronicBase: - type: ../../puppet/services/nova-ironic.yaml + NovaBase: + type: ../../puppet/services/nova-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} @@ -73,15 +77,26 @@ outputs: role_data: description: Role data for the Nova Compute service. value: - service_name: {get_attr: [NovaIronicBase, role_data, service_name]} - config_settings: {get_attr: [NovaIronicBase, role_data, config_settings]} + service_name: nova_ironic + config_settings: + map_merge: + - get_attr: [NovaBase, role_data, config_settings] + - nova::compute::force_config_drive: true + nova::compute::reserved_host_memory: '0' + nova::compute::vnc_enabled: false + nova::ironic::common::password: {get_param: IronicPassword} + nova::ironic::common::project_name: 'service' + nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + nova::ironic::common::username: 'ironic' + nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} + nova::network::neutron::dhcp_domain: '' puppet_config: config_volume: nova puppet_tags: nova_config,nova_paste_api_ini step_config: list_join: - "\n" - - - {get_attr: [NovaIronicBase, role_data, step_config]} + - - include tripleo::profile::base::nova::compute::ironic - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerNovaConfigImage} kolla_config: @@ -131,7 +146,7 @@ outputs: - yaql: expression: str($.data.port) data: - port: {get_attr: [NovaIronicBase, role_data, config_settings, 'nova::rabbit_port']} + port: {get_attr: [NovaBase, role_data, config_settings, 'nova::rabbit_port']} volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -184,6 +199,9 @@ outputs: persistent: yes state: yes upgrade_tasks: + - name: Stop openstack-nova-compute service + when: step|int == 1 + service: name=openstack-nova-compute state=stopped enabled=no - when: step|int == 3 block: - name: Set fact for removal of openstack-nova-compute package diff --git a/docker/services/nova-metadata.yaml b/deployment/nova/nova-metadata-container-puppet.yaml similarity index 53% rename from docker/services/nova-metadata.yaml rename to deployment/nova/nova-metadata-container-puppet.yaml index 9c5695c69e..2ae254ca54 100644 --- a/docker/services/nova-metadata.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -48,40 +48,73 @@ parameters: default: false description: When true we create the NAT rule for the metadata service type: boolean + NovaWorkers: + default: 0 + description: Number of workers for Nova services. + type: number + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + NeutronMetadataProxySharedSecret: + description: Shared secret to prevent spoofing + type: string + hidden: true + MonitoringSubscriptionNovaMetadata: + default: 'overcloud-nova-metadata' + type: string conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} need_metadata_nat_rule: {equals: [{get_param: MetadataNATRule}, true]} + nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}} resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml MySQLClient: type: ../../deployment/database/mysql-client.yaml - NovaMetadataBase: - type: ../../puppet/services/nova-metadata.yaml + NovaMetadataLogging: + type: OS::TripleO::Services::Logging::NovaMetadata + + ApacheServiceBase: + type: ../../puppet/services/apache.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} - NovaMetadataLogging: - type: OS::TripleO::Services::Logging::NovaMetadata + NovaBase: + type: ../../puppet/services/nova-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Nova Metadata service. value: - service_name: {get_attr: [NovaMetadataBase, role_data, service_name]} + service_name: nova_metadata config_settings: map_merge: - - get_attr: [NovaMetadataBase, role_data, config_settings] + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [NovaMetadataLogging, config_settings] - apache::default_vhost: false - tripleo::nova_metadata::firewall_rules: @@ -98,14 +131,71 @@ outputs: extras: toports: 8775 - {} + - tripleo::nova_placement::firewall_rules: + '139 nova_metadata': + dport: + - 8775 + - 13775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::metadata::enable_proxy_headers_parsing: true + nova_metadata_wsgi_enabled: true + nova::wsgi::apache_metadata::api_port: '8775' + nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::wsgi::apache_metadata::bind_host: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + nova::wsgi::apache_metadata::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - + if: + - nova_workers_zero + - {} + - nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers} + - + if: + - is_neutron_shared_metadata_notempty + - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + - {} service_config_settings: - map_merge: - - get_attr: [NovaMetadataBase, role_data, service_config_settings] - - fluentd: - tripleo_fluentd_groups_nova_metadata: - - nova - tripleo_fluentd_sources_nova_metadata: - - {get_param: NovaMetadataLoggingSource} + fluentd: + tripleo_fluentd_groups_nova_metadata: + - nova + tripleo_fluentd_sources_nova_metadata: + - {get_param: NovaMetadataLoggingSource} + keystone: + nova::keystone::auth::tenant: 'service' + nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} + nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} + nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} + nova::keystone::auth::password: {get_param: NovaPassword} + nova::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + map_merge: + - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} + - nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + step_config: | + include tripleo::profile::base::nova::metadata # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova_metadata @@ -113,7 +203,7 @@ outputs: step_config: list_join: - "\n" - - - {get_attr: [NovaMetadataBase, role_data, step_config]} + - - include tripleo::profile::base::nova::metadata - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerNovaMetadataConfigImage} kolla_config: @@ -163,8 +253,6 @@ outputs: - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - metadata_settings: - get_attr: [NovaMetadataBase, role_data, metadata_settings] host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]} post_upgrade_tasks: - when: step|int == 1 diff --git a/docker/services/nova-migration-target.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml similarity index 76% rename from docker/services/nova-migration-target.yaml rename to deployment/nova/nova-migration-target-container-puppet.yaml index c49f96fb27..fcaec22b4d 100644 --- a/docker/services/nova-migration-target.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -68,7 +68,7 @@ conditions: resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml SshdBase: type: ../../deployment/sshd/sshd-baremetal-puppet.yaml @@ -79,15 +79,6 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} - NovaMigrationTargetBase: - type: ../../puppet/services/nova-migration-target.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - outputs: role_data: description: Role data for the Nova Migration Target service. @@ -96,7 +87,39 @@ outputs: config_settings: map_merge: - get_attr: [SshdBase, role_data, config_settings] - - get_attr: [NovaMigrationTargetBase, role_data, config_settings] + - tripleo::profile::base::nova::migration::target::ssh_authorized_keys: + - {get_param: [ MigrationSshKey, public_key ]} + tripleo::profile::base::nova::migration::target::ssh_localaddrs: + - "%{hiera('cold_migration_ssh_inbound_addr')}" + - "%{hiera('live_migration_ssh_inbound_addr')}" + live_migration_ssh_inbound_addr: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: + get_param: + - ServiceNetMap + - str_replace: + template: "ROLENAMEHostnameResolveNetwork" + params: + ROLENAME: {get_param: RoleName} + cold_migration_ssh_inbound_addr: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo::profile::base::sshd::port: + - 22 + - {get_param: MigrationSshPort} + tripleo::nova_migration_target::firewall_rules: + '113 nova_migration_target': + dport: + - {get_param: MigrationSshPort} + step_config: | + include tripleo::profile::base::nova::migration::target + # NB this prevents the baremetal ssh from listening on port 2022 # It doesn't affect the sshd port in the container as we override it below on the sshd cli - tripleo::profile::base::sshd::port: 22 @@ -112,7 +135,7 @@ outputs: list_join: - "\n" - - get_attr: [SshdBase, role_data, step_config] - - get_attr: [NovaMigrationTargetBase, role_data, step_config] + - include tripleo::profile::base::nova::migration::target config_image: {get_param: DockerNovaLibvirtConfigImage} kolla_config: /var/lib/kolla/config_files/nova-migration-target.json: diff --git a/docker/services/nova-vnc-proxy.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml similarity index 62% rename from docker/services/nova-vnc-proxy.yaml rename to deployment/nova/nova-vnc-proxy-container-puppet.yaml index 48b1b01407..2c126de84c 100644 --- a/docker/services/nova-vnc-proxy.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -86,47 +86,121 @@ conditions: - {get_param: LibvirtVncCACert} - '' + allow_noauth: + # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. + equals: [{get_param: StackUpdateType}, 'UPGRADE'] + resources: ContainersCommon: - type: ./containers-common.yaml + type: ../../docker/services/containers-common.yaml MySQLClient: type: ../../deployment/database/mysql-client.yaml - NovaVncProxyPuppetBase: - type: ../../puppet/services/nova-vnc-proxy.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - NovaLogging: type: OS::TripleO::Services::Logging::NovaCommon properties: DockerNovaImage: {get_param: DockerNovaVncProxyImage} NovaServiceName: 'vncproxy' + NovaBase: + type: ../../puppet/services/nova-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Nova Vncproxy service. value: - service_name: {get_attr: [NovaVncProxyPuppetBase, role_data, service_name]} + service_name: nova_vnc_proxy config_settings: map_merge: - - {get_attr: [NovaVncProxyPuppetBase, role_data, config_settings]} - {get_attr: [NovaLogging, config_settings]} + - nova::vncproxy::enabled: true + nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]} + nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]} + nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} + # NOTE: bind IP is found in hiera replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::vncproxy::host: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + tripleo::nova_vnc_proxy::firewall_rules: + '137 nova_vnc_proxy': + dport: + - 6080 + - 13080 + - + if: + - use_tls_for_vnc + - + nova::vncproxy::allow_vencrypt: true + nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]} + nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem + nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem + nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem + nova::ssl_only: true + nova::cert: /etc/pki/tls/certs/novnc_proxy.crt + nova::key: /etc/pki/tls/private/novnc_proxy.key + generate_service_certificates: true + tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - get_param: LibvirtVncCACert + tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' + libvirt_vnc_certificates_specs: + libvirt-vnc-client-cert: + cacertfile: + if: + - libvirt_vnc_specific_ca_unset + - get_param: InternalTLSVncCAFile + - null + service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem' + service_key: '/etc/pki/libvirt-vnc/client-key.pem' + notify_service: '%{::nova::params::vncproxy_service_name}' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + novnc_proxy_certificates_specs: + service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' + service_key: '/etc/pki/tls/private/novnc_proxy.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + principal: + str_replace: + template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + - {} service_config_settings: - map_merge: - - get_attr: [NovaVncProxyPuppetBase, role_data, service_config_settings] - - fluentd: - tripleo_fluentd_groups_nova_vnc_proxy: - - nova - tripleo_fluentd_sources_nova_vnc_proxy: - - {get_param: NovaVncproxyLoggingSource} + fluentd: + tripleo_fluentd_groups_nova_vnc_proxy: + - nova + tripleo_fluentd_sources_nova_vnc_proxy: + - {get_param: NovaVncproxyLoggingSource} # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova @@ -134,7 +208,7 @@ outputs: step_config: list_join: - "\n" - - - {get_attr: [NovaVncProxyPuppetBase, role_data, step_config]} + - - include tripleo::profile::base::nova::vncproxy - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerNovaConfigImage} kolla_config: @@ -196,9 +270,21 @@ outputs: environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS metadata_settings: - get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings] + if: + - use_tls_for_vnc + - + - service: libvirt-vnc + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - service: novnc-proxy + network: {get_param: [ServiceNetMap, NovaApiNetwork]} + type: node + - null host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]} upgrade_tasks: + - name: Stop nova_vnc_proxy service + when: step|int == 1 + service: name=openstack-nova-consoleauth state=stopped - when: step|int == 3 block: - name: Set fact for removal of openstack-nova-novncproxy package diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml index 6643bf7052..2eafcb97dc 100644 --- a/environments/baremetal-services.yaml +++ b/environments/baremetal-services.yaml @@ -40,13 +40,13 @@ resource_registry: OS::TripleO::Services::NovaApi: ../puppet/services/nova-api.yaml OS::TripleO::Services::NovaCompute: ../puppet/services/nova-compute.yaml OS::TripleO::Services::NovaConductor: ../puppet/services/nova-conductor.yaml - OS::TripleO::Services::NovaConsoleauth: ../puppet/services/nova-consoleauth.yaml + OS::TripleO::Services::NovaConsoleauth: ../deployment/nova/nova-consoleauth.yaml OS::TripleO::Services::NovaLibvirt: ../puppet/services/nova-libvirt.yaml - OS::TripleO::Services::NovaMetadata: ../puppet/services/nova-metadata.yaml - OS::TripleO::Services::NovaMigrationTarget: ../puppet/services/nova-migration-target.yaml + OS::TripleO::Services::NovaMetadata: ../deployment/nova/nova-metadata-container-puppet.yaml + OS::TripleO::Services::NovaMigrationTarget: ../deployment/nova/nova-migration-target-container-puppet.yaml OS::TripleO::Services::NovaPlacement: ../puppet/services/nova-placement.yaml OS::TripleO::Services::NovaScheduler: ../puppet/services/nova-scheduler.yaml - OS::TripleO::Services::NovaVncProxy: ../puppet/services/nova-vnc-proxy.yaml + OS::TripleO::Services::NovaVncProxy: ../deployment/nova/nova-vnc-proxy-container-puppet.yaml OS::TripleO::Services::PankoApi: ../deployment/panko/panko-api-container-puppet.yaml OS::TripleO::Services::Qdr: OS::Heat::None OS::TripleO::Services::RabbitMQ: ../puppet/services/rabbitmq.yaml diff --git a/environments/computealt.yaml b/environments/computealt.yaml index 02e98ae848..1cd6a10495 100644 --- a/environments/computealt.yaml +++ b/environments/computealt.yaml @@ -10,7 +10,7 @@ resource_registry: OS::TripleO::Services::IscsidAlt: ../deployment/iscsid/iscsid-container-puppet.yaml OS::TripleO::Services::NovaComputeAlt: ../puppet/services/nova-compute.yaml OS::TripleO::Services::NovaLibvirtAlt: ../puppet/services/nova-libvirt.yaml - OS::TripleO::Services::NovaMigrationTargetAlt: ../puppet/services/nova-migration-target.yaml + OS::TripleO::Services::NovaMigrationTargetAlt: ../deployment/nova/nova-migration-target-container-puppet.yaml OS::TripleO::Services::SensuClientAlt: OS::Heat::None # If enabling monitoring you'll need provide the following in a specific resource_registry # OS::TripleO::Services::SensuClientAlt: ../puppet/services/monitoring/sensu-client.yaml diff --git a/environments/services/ironic.yaml b/environments/services/ironic.yaml index ace29f8379..03d401d530 100644 --- a/environments/services/ironic.yaml +++ b/environments/services/ironic.yaml @@ -5,5 +5,5 @@ resource_registry: OS::TripleO::Services::IronicApi: ../../deployment/ironic/ironic-api-container-puppet.yaml OS::TripleO::Services::IronicConductor: ../../deployment/ironic/ironic-conductor-container-puppet.yaml OS::TripleO::Services::IronicPxe: ../../deployment/ironic/ironic-pxe-container-puppet.yaml - OS::TripleO::Services::NovaIronic: ../../docker/services/nova-ironic.yaml + OS::TripleO::Services::NovaIronic: ../../deployment/nova/nova-ironic-container-puppet.yaml OS::TripleO::Services::IronicNeutronAgent: ../../deployment/ironic/ironic-neutron-agent-container-puppet.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 0872106028..17235e3f32 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -194,14 +194,14 @@ resource_registry: OS::TripleO::Services::NovaApi: docker/services/nova-api.yaml OS::TripleO::Services::NovaCompute: docker/services/nova-compute.yaml OS::TripleO::Services::NovaConductor: docker/services/nova-conductor.yaml - OS::TripleO::Services::NovaConsoleauth: docker/services/nova-consoleauth.yaml + OS::TripleO::Services::NovaConsoleauth: deployment/nova/nova-consoleauth-container-puppet.yaml OS::TripleO::Services::NovaLibvirt: docker/services/nova-libvirt.yaml OS::TripleO::Services::NovaLibvirtGuests: puppet/services/nova-libvirt-guests.yaml - OS::TripleO::Services::NovaMetadata: docker/services/nova-metadata.yaml - OS::TripleO::Services::NovaMigrationTarget: docker/services/nova-migration-target.yaml + OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml + OS::TripleO::Services::NovaMigrationTarget: deployment/nova/nova-migration-target-container-puppet.yaml OS::TripleO::Services::NovaPlacement: docker/services/nova-placement.yaml OS::TripleO::Services::NovaScheduler: docker/services/nova-scheduler.yaml - OS::TripleO::Services::NovaVncProxy: docker/services/nova-vnc-proxy.yaml + OS::TripleO::Services::NovaVncProxy: deployment/nova/nova-vnc-proxy-container-puppet.yaml OS::TripleO::Services::Novajoin: OS::Heat::None OS::TripleO::Services::ContainersLogrotateCrond: docker/services/logrotate-crond.yaml OS::TripleO::Services::OpenShift::Master: OS::Heat::None diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml deleted file mode 100644 index 3520bbecc3..0000000000 --- a/puppet/services/nova-consoleauth.yaml +++ /dev/null @@ -1,72 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack Nova Consoleauth service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - MonitoringSubscriptionNovaConsoleauth: - default: 'overcloud-nova-consoleauth' - type: string - NovaConsoleauthLoggingSource: - type: json - default: - tag: openstack.nova.consoleauth - path: /var/log/nova/nova-consoleauth.log - -resources: - NovaBase: - type: ./nova-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the Nova Consoleauth service. - value: - service_name: nova_consoleauth - monitoring_subscription: {get_param: MonitoringSubscriptionNovaConsoleauth} - config_settings: - get_attr: [NovaBase, role_data, config_settings] - service_config_settings: - fluentd: - tripleo_fluentd_groups_nova_consoleauth: - - nova - tripleo_fluentd_sources_nova_consoleauth: - - {get_param: NovaConsoleauthLoggingSource} - step_config: | - include tripleo::profile::base::nova::consoleauth - upgrade_tasks: - - name: Stop nova_consoleauth service - when: step|int == 1 - service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml deleted file mode 100644 index 66e3fe7ab7..0000000000 --- a/puppet/services/nova-ironic.yaml +++ /dev/null @@ -1,71 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack Nova Compute service configured with Puppet and using Ironic - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - IronicPassword: - description: The password for the Ironic service and db account, used by the Ironic services - type: string - hidden: true - -resources: - NovaBase: - type: ./nova-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the Nova Compute service with Ironic. - value: - service_name: nova_ironic - config_settings: - map_merge: - - get_attr: [NovaBase, role_data, config_settings] - - nova::compute::force_config_drive: true - nova::compute::reserved_host_memory: '0' - nova::compute::vnc_enabled: false - nova::ironic::common::password: {get_param: IronicPassword} - nova::ironic::common::project_name: 'service' - nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} - nova::ironic::common::username: 'ironic' - nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} - nova::network::neutron::dhcp_domain: '' - step_config: | - include tripleo::profile::base::nova::compute::ironic - upgrade_tasks: - - name: Stop openstack-nova-compute service - when: step|int == 1 - service: name=openstack-nova-compute state=stopped enabled=no diff --git a/puppet/services/nova-migration-target.yaml b/puppet/services/nova-migration-target.yaml deleted file mode 100644 index a4a3581a97..0000000000 --- a/puppet/services/nova-migration-target.yaml +++ /dev/null @@ -1,84 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack Nova migration target configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - MigrationSshKey: - type: json - description: > - SSH key for migration. - Expects a dictionary with keys 'public_key' and 'private_key'. - Values should be identical to SSH public/private key files. - default: - public_key: '' - private_key: '' - MigrationSshPort: - default: 2022 - description: Target port for migration over ssh - type: number - -outputs: - role_data: - description: Role data for the Nova migration target service. - value: - service_name: nova_migration_target - config_settings: - tripleo::profile::base::nova::migration::target::ssh_authorized_keys: - - {get_param: [ MigrationSshKey, public_key ]} - tripleo::profile::base::nova::migration::target::ssh_localaddrs: - - "%{hiera('cold_migration_ssh_inbound_addr')}" - - "%{hiera('live_migration_ssh_inbound_addr')}" - live_migration_ssh_inbound_addr: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: - get_param: - - ServiceNetMap - - str_replace: - template: "ROLENAMEHostnameResolveNetwork" - params: - ROLENAME: {get_param: RoleName} - cold_migration_ssh_inbound_addr: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - tripleo::profile::base::sshd::port: - - 22 - - {get_param: MigrationSshPort} - tripleo::nova_migration_target::firewall_rules: - '113 nova_migration_target': - dport: - - {get_param: MigrationSshPort} - step_config: | - include tripleo::profile::base::nova::migration::target diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml deleted file mode 100644 index c4b1a5e33c..0000000000 --- a/puppet/services/nova-vnc-proxy.yaml +++ /dev/null @@ -1,210 +0,0 @@ -heat_template_version: rocky - -description: > - OpenStack Nova Vncproxy service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - StackUpdateType: - type: string - description: > - Type of update, to differentiate between UPGRADE and UPDATE cases - when StackAction is UPDATE (both are the same stack action). - constraints: - - allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE'] - default: '' - MonitoringSubscriptionNovaVNCProxy: - default: 'overcloud-nova-vncproxy' - type: string - NovaVncproxyLoggingSource: - type: json - default: - tag: openstack.nova.vncproxy - path: /var/log/nova/nova-vncproxy.log - EnableInternalTLS: - type: boolean - default: false - UseTLSTransportForVnc: - type: boolean - default: true - description: If set to true and if EnableInternalTLS is enabled, it will - enable TLS transaport for libvirt VNC and configure the - relevant keys for libvirt. - InternalTLSVncCAFile: - default: '/etc/pki/CA/certs/vnc.crt' - type: string - description: Specifies the CA cert to use for VNC TLS. - LibvirtVncCACert: - type: string - default: '' - description: This specifies the CA certificate to use for VNC TLS. - This file will be symlinked to the default CA path, - which is /etc/pki/libvirt-vnc/ca-cert.pem. - This parameter should be used if the default (which comes from - the InternalTLSVncCAFile parameter) is not desired. The current - default reflects TripleO's default CA, which is FreeIPA. - It will only be used if internal TLS is enabled. - -conditions: - - use_tls_for_vnc: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForVnc} - - true - - libvirt_vnc_specific_ca_unset: - equals: - - {get_param: LibvirtVncCACert} - - '' - - allow_noauth: - # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. - equals: [{get_param: StackUpdateType}, 'UPGRADE'] - - -resources: - NovaBase: - type: ./nova-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the Nova Vncproxy service. - value: - service_name: nova_vnc_proxy - monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy} - config_settings: - map_merge: - - get_attr: [NovaBase, role_data, config_settings] - - nova::vncproxy::enabled: true - nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]} - nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]} - nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} - # NOTE: bind IP is found in hiera replacing the network name with the local node IP - # for the given network; replacement examples (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - nova::vncproxy::host: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - tripleo::nova_vnc_proxy::firewall_rules: - '137 nova_vnc_proxy': - dport: - - 6080 - - 13080 - - - if: - - use_tls_for_vnc - - - nova::vncproxy::allow_vencrypt: true - nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]} - nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem - nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem - nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem - nova::ssl_only: true - nova::cert: /etc/pki/tls/certs/novnc_proxy.crt - nova::key: /etc/pki/tls/private/novnc_proxy.key - generate_service_certificates: true - tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: - if: - - libvirt_vnc_specific_ca_unset - - get_param: InternalTLSVncCAFile - - get_param: LibvirtVncCACert - tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' - libvirt_vnc_certificates_specs: - libvirt-vnc-client-cert: - cacertfile: - if: - - libvirt_vnc_specific_ca_unset - - get_param: InternalTLSVncCAFile - - null - service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem' - service_key: '/etc/pki/libvirt-vnc/client-key.pem' - notify_service: '%{::nova::params::vncproxy_service_name}' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - novnc_proxy_certificates_specs: - service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' - service_key: '/etc/pki/tls/private/novnc_proxy.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - principal: - str_replace: - template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - postsave_cmd: "/usr/bin/certmonger-novnc-proxy-refresh.sh" - - {} - service_config_settings: - fluentd: - tripleo_fluentd_groups_nova_vnc_proxy: - - nova - tripleo_fluentd_sources_nova_vnc_proxy: - - {get_param: NovaVncproxyLoggingSource} - step_config: | - include tripleo::profile::base::nova::vncproxy - upgrade_tasks: - - name: Stop nova_vnc_proxy service - when: step|int == 1 - service: name=openstack-nova-consoleauth state=stopped - metadata_settings: - if: - - use_tls_for_vnc - - - - service: libvirt-vnc - network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - type: node - - service: novnc-proxy - network: {get_param: [ServiceNetMap, NovaApiNetwork]} - type: node - - null