openstack/tripleo-heat-templates
Code Issues Proposed changes

Enable support for Libvirt modular daemons

Browse Source 
This change adds configuration for modular libvirt
daemons running in separate containers.

This change also deprecates nova-libvirt-container-puppet.yaml
heat-template which configure monolithic libvirt daemon on
compute nodes and use newly added heat-template
nova-modular-libvirt-container-puppet.yaml to configure modular
libvirt daemons on compute nodes.

Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/785305
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/803911

Co-Authored-By: Martin Schuppert <mschuppert@redhat.com>
Co-Authored-By: David Vallee Delisle <dvd@redhat.com>
Change-Id: Ic0a13ab453ae8d3c1882b3719df295a2b0b510c5
This commit is contained in:
Rajesh Tailor 2021-08-09 18:02:37 +05:30
parent dc924b0de8
commit 768b66f885
6 changed files with 1239 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
deployment/nova/nova-libvirt-container-puppet.yaml → deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
View File

@ -330,13 +330,13 @@ resources:
NovaLibvirtOptVolumes: {get_param: NovaLibvirtOptVolumes}
ContainersCommon:
type: ../containers-common.yaml
type: ../../containers-common.yaml
NovaLibvirtLogging:
type: OS::TripleO::Services::Logging::NovaLibvirt
NovaBase:
type: ./nova-base-puppet.yaml
type: ../../nova/nova-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
@ -412,6 +412,8 @@ outputs:
nova::compute::libvirt::virtlogd::log_filters: {get_param: LibvirtVirtlogdLogFilters}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
rbd_disk_cachemodes: {get_param: RbdDiskCachemodes}
tripleo::profile::base::nova::libvirt::modular_libvirt: false
nova::params::modular_libvirt: false
- if:
- use_tls_for_live_migration
- tripleo::profile::base::nova::migration::client::libvirt_tls: true
@ -516,7 +518,7 @@ outputs:
- ''
nova_libvirt_init_secret.sh:
mode: "0755"
content: { get_file: ../../container_config_scripts/nova_libvirt_init_secret.sh }
content: { get_file: ../../../container_config_scripts/nova_libvirt_init_secret.sh }
docker_config:
step_2:
create_virtlogd_wrapper:

65
deployment/logging/files/nova-libvirt.yaml
View File

@ -26,6 +26,41 @@ parameters:
type: number
constraints:
- range: { min: 1, max: 4 }
LibvirtVirtsecretdLogLevel:
default: 3
description: Defines log level in virtsecretd to filter log output.
See https://libvirt.org/logging.html to find its detail.
type: number
constraints:
- range: { min: 1, max: 4 }
LibvirtVirtnodedevdLogLevel:
default: 3
description: Defines log level in virtnodedevd to filter log output.
See https://libvirt.org/logging.html to find its detail.
type: number
constraints:
- range: { min: 1, max: 4 }
LibvirtVirtqemudLogLevel:
default: 3
description: Defines log level in virtqemud to filter log output.
See https://libvirt.org/logging.html to find its detail.
type: number
constraints:
- range: { min: 1, max: 4 }
LibvirtVirtproxydLogLevel:
default: 3
description: Defines log level in virtproxyd to filter log output.
See https://libvirt.org/logging.html to find its detail.
type: number
constraints:
- range: { min: 1, max: 4 }
LibvirtVirtstoragedLogLevel:
default: 3
description: Defines log level in virtstoraged to filter log output.
See https://libvirt.org/logging.html to find its detail.
type: number
constraints:
- range: { min: 1, max: 4 }
outputs:
config_settings:
@ -55,6 +90,36 @@ outputs:
- {get_param: LibvirtDebug }
- 1
- {get_param: LibvirtVirtlogdLogLevel}
nova::compute::libvirt::virtsecretd::log_outputs:
str_replace:
template:
'LEVEL:file:/var/log/libvirt/virtsecretd.log'
params:
LEVEL: {get_param: LibvirtVirtsecretdLogLevel}
nova::compute::libvirt::virtnodedevd::log_outputs:
str_replace:
template:
'LEVEL:file:/var/log/libvirt/virtnodedevd.log'
params:
LEVEL: {get_param: LibvirtVirtnodedevdLogLevel}
nova::compute::libvirt::virtqemud::log_outputs:
str_replace:
template:
'LEVEL:file:/var/log/libvirt/virtqemud.log'
params:
LEVEL: {get_param: LibvirtVirtqemudLogLevel}
nova::compute::libvirt::virtproxyd::log_outputs:
str_replace:
template:
'LEVEL:file:/var/log/libvirt/virtproxyd.log'
params:
LEVEL: {get_param: LibvirtVirtproxydLogLevel}
nova::compute::libvirt::virtstoraged::log_outputs:
str_replace:
template:
'LEVEL:file:/var/log/libvirt/virtstoraged.log'
params:
LEVEL: {get_param: LibvirtVirtstoragedLogLevel}
volumes:
description: The volumes needed to log to files in the host.
value:

979
deployment/nova/nova-modular-libvirt-container-puppet.yaml Normal file
View File

@ -0,0 +1,979 @@
heat_template_version: wallaby
description: >
OpenStack Modular Libvirt Service
parameters:
ContainerNovaLibvirtImage:
description: image
type: string
# we configure libvirt via the nova-compute container due to coupling
# in the puppet modules
ContainerNovaLibvirtConfigImage:
description: The container image to use for the nova_libvirt config_volume
type: string
ContainerNovaLibvirtUlimit:
default: ['nofile=131072', 'nproc=126960']
description: ulimit for Nova Libvirt Container
type: comma_delimited_list
ContainerNovaLibvirtPidsLimit:
default: 65536
description: Tune nova_libvirt container PID limit (set to 0 for unlimited)
(defaults to 65536)
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForLiveMigration:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
CinderEnableRbdBackend:
default: false
description: Whether to enable or not the Rbd backend for Cinder
type: boolean
CephClientKey:
description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
type: string
hidden: true
constraints:
- allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
CephClusterFSID:
type: string
description: The Ceph cluster FSID. Must be a UUID.
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
CephConfigPath:
type: string
default: "/var/lib/tripleo-config/ceph"
description: |
The path where the Ceph Cluster config files are stored on the host.
CinderRbdMultiConfig:
type: json
default: {}
description: |
Dictionary of settings when configuring multiple RBD backends. The
hash key is the backend name, and the value is a dictionary of parameter
values unique to that backend. The following parameters are required,
and must match the corresponding value defined in CephExternalMultiConfig.
CephClusterName (must match the CephExternalMultiConfig entry's 'cluster')
CephClusterFSID (must match the CephExternalMultiConfig entry's 'fsid')
The following parameters are optional, and override the corresponding
parameter's default value.
CephClientUserName
CinderRbdPoolName
CinderRbdExtraPools
CinderRbdAvailabilityZone
CinderRbdFlattenVolumeFromSnapshot
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
UseTLSTransportForNbd:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt NBD and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
LibvirtCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtCACert:
type: string
default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
be less than 65K (so we can't use the system's CA bundle).
This parameter should be used if the default (which comes from
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
QemuCACert:
type: string
default: ''
description: This specifies the CA certificate to use for qemu.
This file will be symlinked to the default CA path,
which is /etc/pki/qemu/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
VhostuserSocketGroup:
default: "qemu"
description: >
The vhost-user socket directory group name.
Defaults to 'qemu'. When vhostuser mode is 'dpdkvhostuserclient'
(which is the default mode), the vhost socket is created by qemu.
type: string
tags:
- role_specific
QemuMemoryBackingDir:
type: string
description: >
Directory used for memoryBacking source if configured as file.
NOTE: big files will be stored here
default: ''
tags:
- role_specific
NovaComputeLibvirtType:
type: string
default: kvm
LibvirtEnabledPerfEvents:
type: comma_delimited_list
default: []
description: This is a performance event list which could be used as monitor.
For example - ``enabled_perf_events = cmt, mbml, mbmt``
The supported events list can be found in
https://libvirt.org/html/libvirt-libvirt-domain.html ,
which you may need to search key words ``VIR_PERF_PARAM_*``
MonitoringSubscriptionNovaLibvirt:
default: 'overcloud-nova-libvirt'
type: string
MigrationSshKey:
type: json
description: >
SSH key for migration.
Expects a dictionary with keys 'public_key' and 'private_key'.
Values should be identical to SSH public/private key files.
default:
public_key: ''
private_key: ''
MigrationSshPort:
default: 2022
description: Target port for migration over ssh
type: number
LibvirtTLSPassword:
description: The password for the libvirt service when TLS is enabled
type: string
hidden: true
QemuDefaultTLSVerify:
description: >
Whether to enable or disable TLS client certificate verification. Enabling this
option will reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem
default: true
type: boolean
LibvirtLogFilters:
description: Defines a filter in libvirt daemon to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:libvirt 1:qemu 1:conf 1:security 3:event 3:json 3:file 3:object 1:util'
LibvirtVirtlogdLogFilters:
description: Defines a filter in virtlogd to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtVirtsecretdLogFilters:
description: Defines a filter in virtsecretd to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtVirtnodedevdLogFilters:
description: Defines a filter in virtnodedevd to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtVirtstoragedLogFilters:
description: Defines a filter in virtstoraged to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtVirtqemudLogFilters:
description: Defines a filter in virtqemud to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtVirtproxydLogFilters:
description: Defines a filter in virtproxyd to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtTLSPriority:
description: >
Override the compile time default TLS priority string.
type: string
default: 'NORMAL:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2'
NovaLibvirtOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
tags:
- role_specific
NovaEnableVirtlogdContainerWrapper:
description: Generate a virtlogd wrapper script so that virtlogd launches
in a separate container and won't get restarted e.g. on minor
updates.
type: boolean
default: true
VirtlogdWrapperDebug:
type: boolean
default: false
description: Controls debugging for the wrapper scripts.
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
RbdDiskCachemodes:
type: comma_delimited_list
default: ['network=writeback']
description: >
Disk cachemodes for RBD backend.
conditions:
use_tls_for_live_migration:
and:
- {get_param: EnableInternalTLS}
- {get_param: UseTLSTransportForLiveMigration}
libvirt_specific_ca_set:
not: {equals: [{get_param: LibvirtCACert}, '']}
need_libvirt_secret:
or:
- {equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true]}
- and:
- {equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, '']}
- {equals: [{get_param: NovaEnableRbdBackend}, true]}
- {get_param: CinderEnableRbdBackend}
use_tls_for_vnc:
and:
- {get_param: EnableInternalTLS}
- {get_param: UseTLSTransportForVnc}
libvirt_vnc_specific_ca_set:
not: {equals: [{get_param: LibvirtVncCACert}, '']}
use_tls_for_nbd:
and:
- {get_param: EnableInternalTLS}
- {get_param: UseTLSTransportForNbd}
qemu_specific_ca_set:
not: {equals: [{get_param: QemuCACert}, '']}
key_size_libvirt_override_set:
not: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
key_size_qemu_client_override_set:
not: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
key_size_qemu_server_override_set:
not: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
resources:
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- vhostuser_socket_group: VhostuserSocketGroup
nova::compute::libvirt::qemu::memory_backing_dir: QemuMemoryBackingDir
nova_libvirt_opt_volumes: NovaLibvirtOptVolumes
- values: {get_param: [RoleParameters]}
- values:
VhostuserSocketGroup: {get_param: VhostuserSocketGroup}
QemuMemoryBackingDir: {get_param: QemuMemoryBackingDir}
NovaLibvirtOptVolumes: {get_param: NovaLibvirtOptVolumes}
ContainersCommon:
type: ../containers-common.yaml
NovaLibvirtLogging:
type: OS::TripleO::Services::Logging::NovaLibvirt
NovaBase:
type: ./nova-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
VirtCommon:
type: ./nova-virt-common.yaml
outputs:
role_data:
description: Role data for the Libvirt service.
value:
service_name: nova_libvirt
firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- get_attr: [NovaLibvirtLogging, config_settings]
# we include ::nova::compute::libvirt::services in nova/libvirt profile
- nova::compute::libvirt::manage_libvirt_services: false
tripleo::profile::base::nova::virtlogd_wrapper::enable_wrapper: {get_param: NovaEnableVirtlogdContainerWrapper}
# don't think this is a good place as /var/lib/nova can also be shared storage
tripleo::profile::base::nova::virtlogd_wrapper::virtlogd_process_wrapper: '/var/lib/container-config-scripts/virtlogd_wrapper'
tripleo::profile::base::nova::virtlogd_wrapper::virtlogd_image: {get_param: ContainerNovaLibvirtImage}
tripleo::profile::base::nova::virtlogd_wrapper::debug:
if:
- {get_param: VirtlogdWrapperDebug}
- true
- {get_attr: [NovaBase, role_data, config_settings, 'nova::logging::debug']}
# we manage migration in nova common puppet profile
nova::compute::libvirt::migration_support: false
nova::compute::rbd::libvirt_images_rbd_ceph_conf:
list_join:
- ''
- - '/etc/ceph/'
- {get_param: CephClusterName}
- '.conf'
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
tripleo::profile::base::nova::compute_libvirt_shared::nova_rbd_ceph_conf_path: {get_param: CephConfigPath}
nova::compute::rbd::rbd_keyring:
list_join:
- '.'
- - 'client'
- {get_param: CephClientUserName}
nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
tripleo::profile::base::nova::migration::client::libvirt_enabled: true
tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
nova::compute::libvirt::qemu::configure_qemu: true
nova::compute::libvirt::qemu::max_files: 32768
nova::compute::libvirt::qemu::max_processes: 131072
nova::migration::qemu::configure_qemu: true
nova::migration::qemu::migration_port_min: 61152
nova::migration::qemu::migration_port_max: 61215
nova::compute::libvirt::vncserver_listen:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
nova::compute::libvirt::virtlogd::log_filters: {get_param: LibvirtVirtlogdLogFilters}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
rbd_disk_cachemodes: {get_param: RbdDiskCachemodes}
nova::compute::libvirt::virtsecretd::log_filters: {get_param: LibvirtVirtsecretdLogFilters}
nova::compute::libvirt::virtnodedevd::log_filters: {get_param: LibvirtVirtnodedevdLogFilters}
nova::compute::libvirt::virtstoraged::log_filters: {get_param: LibvirtVirtstoragedLogFilters}
nova::compute::libvirt::virtqemud::log_filters: {get_param: LibvirtVirtqemudLogFilters}
nova::compute::libvirt::virtproxyd::log_filters: {get_param: LibvirtVirtproxydLogFilters}
tripleo::profile::base::nova::libvirt::modular_libvirt: true
nova::compute::libvirt::services::modular_libvirt: true
nova::compute::libvirt::modular_libvirt: true
nova::migration::libvirt::modular_libvirt: true
nova::params::modular_libvirt: true
- if:
- use_tls_for_live_migration
- tripleo::profile::base::nova::migration::client::libvirt_tls: true
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
nova::migration::libvirt::listen_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- if:
- use_tls_for_vnc
- nova::compute::libvirt::qemu::vnc_tls: true
nova::compute::libvirt::qemu::vnc_tls_verify: true
- if:
- use_tls_for_nbd
- nova::compute::libvirt::qemu::nbd_tls: true
nova::migration::libvirt::live_migration_with_native_tls: true
puppet_config:
config_volume: nova_libvirt
puppet_tags: libvirtd_config,virtlogd_config,virtproxyd_config,virtqemud_config,virtnodedevd_config,virtsecretd_config,virtstoraged_config,nova_config,file,libvirt_tls_password
step_config: |
include tripleo::profile::base::nova::libvirt
config_image: {get_param: ContainerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_virtlogd.json:
command:
if:
- {get_param: NovaEnableVirtlogdContainerWrapper}
- /usr/local/bin/virtlogd_wrapper
- /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
/var/lib/kolla/config_files/nova_virtsecretd.json:
command: /usr/sbin/virtsecretd --config /etc/libvirt/virtsecretd.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
/var/lib/kolla/config_files/nova_virtnodedevd.json:
command: /usr/sbin/virtnodedevd --config /etc/libvirt/virtnodedevd.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
/var/lib/kolla/config_files/nova_virtstoraged.json:
command: /usr/sbin/virtstoraged --config /etc/libvirt/virtstoraged.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
/var/lib/kolla/config_files/nova_virtqemud.json:
command: /usr/sbin/virtqemud --config /etc/libvirt/virtqemud.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
/var/lib/kolla/config_files/nova_virtproxyd.json:
command: /usr/sbin/virtproxyd --config /etc/libvirt/virtproxyd.conf
config_files: {get_attr: [VirtCommon, kolla_config_files]}
permissions: {get_attr: [VirtCommon, kolla_permissions]}
container_config_scripts:
nova_libvirt_init_secret.sh:
mode: "0755"
content: { get_file: ../../container_config_scripts/nova_libvirt_init_secret.sh }
docker_config:
step_2:
create_virtlogd_wrapper:
start_order: 1
detach: false
cgroupns: host
net: host
pid: host
user: root
command: # '/container_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
list_concat:
- - '/container_puppet_apply.sh'
- '4'
- 'file'
- 'include ::tripleo::profile::base::nova::virtlogd_wrapper'
image: {get_param: ContainerNovaLibvirtImage}
volumes:
list_concat:
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
- - /var/lib/container-config-scripts:/var/lib/container-config-scripts:shared,z
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_3:
map_merge:
- if:
- {get_param: NovaEnableVirtlogdContainerWrapper}
- nova_virtlogd_wrapper: &virtlog_container_config
start_order: 0
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
security_opt:
- label=disable
privileged: true
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- - /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
- if:
- {get_param: NovaEnableVirtlogdContainerWrapper}
- - /var/lib/container-config-scripts/virtlogd_wrapper:/usr/local/bin/virtlogd_wrapper:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
- nova_virtlogd: *virtlog_container_config
- nova_virtsecretd:
start_order: 1
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
- - /var/lib/kolla/config_files/nova_virtsecretd.json:/var/lib/kolla/config_files/config.json:ro
- nova_virtnodedevd:
start_order: 2
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
- - /var/lib/kolla/config_files/nova_virtnodedevd.json:/var/lib/kolla/config_files/config.json:ro
- nova_virtstoraged:
start_order: 3
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
- - /var/lib/kolla/config_files/nova_virtstoraged.json:/var/lib/kolla/config_files/config.json:ro
- nova_virtqemud:
start_order: 4
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
- - /var/lib/kolla/config_files/nova_virtqemud.json:/var/lib/kolla/config_files/config.json:ro
- nova_virtproxyd:
start_order: 5
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
cgroupns: host
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [VirtCommon, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
- - /var/lib/kolla/config_files/nova_virtproxyd.json:/var/lib/kolla/config_files/config.json:ro
step_4:
if:
- need_libvirt_secret
- nova_libvirt_init_secret:
detach: false
image: {get_param: ContainerNovaLibvirtImage}
security_opt:
- label=disable
privileged: false
user: root
cgroupns: host
net: host
environment:
LIBVIRT_DEFAULT_URI: qemu:///system
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova
- /etc/libvirt:/etc/libvirt
- /run/libvirt:/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
- /var/lib/container-config-scripts/nova_libvirt_init_secret.sh:/nova_libvirt_init_secret.sh:ro
- str_replace:
template: HOST_CEPH:/etc/ceph:ro
params:
HOST_CEPH: {get_param: CephConfigPath}
command:
list_join:
- ' '
- - str_replace:
template:
"/nova_libvirt_init_secret.sh CLUSTER:USER"
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
- repeat:
template:
<%ceph_info%>
for_each:
<%ceph_info%>:
yaql:
expression:
let(u => $.data.default_user) -> $.data.multiconfig.values().select("{0}:{1}".format($.CephClusterName, $.get("CephClientUserName", $u)))
data:
default_user: {get_param: CephClientUserName}
multiconfig: {get_param: CinderRbdMultiConfig}
deploy_steps_tasks:
- if:
- {get_param: EnableInternalTLS}
- - name: Certificate generation
when: step|int == 1
block:
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/libvirt'
- '/etc/pki/libvirt/private'
- '/etc/pki/qemu'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: libvirt-server-cert
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
run_after:
str_replace:
template: |
# Copy cert and key to libvirt dirs
cp CACERT /etc/pki/CA/cacert.pem
chown root:root /etc/pki/CA/cacert.pem
chmod 644 /etc/pki/CA/cacert.pem
cp /etc/pki/tls/certs/libvirt-server-cert.crt /etc/pki/libvirt/servercert.pem
cp /etc/pki/tls/private/libvirt-server-cert.key /etc/pki/libvirt/private/serverkey.pem
systemctl reload tripleo_nova_libvirt
params:
CACERT:
if:
- libvirt_specific_ca_set
- get_param: LibvirtCACert
- get_param: InternalTLSCAFile
key_size:
if:
- key_size_libvirt_override_set
- {get_param: LibvirtCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
- name: libvirt-client-cert
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
run_after: |
# Copy cert and key to libvirt dirs
cp /etc/pki/tls/certs/libvirt-client-cert.crt /etc/pki/libvirt/clientcert.pem
cp /etc/pki/tls/private/libvirt-client-cert.key /etc/pki/libvirt/private/clientkey.pem
systemctl reload tripleo_nova_libvirt
key_size:
if:
- key_size_libvirt_override_set
- {get_param: LibvirtCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
- name: qemu-server-cert
owner: root
group: qemu
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
run_after:
str_replace:
template: |
# Copy cert and key to qemu dir
cp CACERT /etc/pki/qemu/ca-cert.pem
chown root:root /etc/pki/qemu/ca-cert.pem
chmod 644 /etc/pki/qemu/ca-cert.pem
cp -a /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem
cp -a /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem
chgrp qemu /etc/pki/qemu/server-*
chmod 0640 /etc/pki/qemu/server-cert.pem
chmod 0640 /etc/pki/qemu/server-key.pem
systemctl reload tripleo_nova_libvirt
params:
CACERT:
if:
- qemu_specific_ca_set
- get_param: QemuCACert
- get_param: InternalTLSCAFile
key_size:
if:
- key_size_qemu_server_override_set
- {get_param: QemuServerCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
- name: qemu-client-cert
owner: root
group: qemu
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
run_after: |
# Copy cert and key to qemu dir
cp -a /etc/pki/tls/certs/qemu-client-cert.crt /etc/pki/qemu/client-cert.pem
cp -a /etc/pki/tls/private/qemu-client-cert.key /etc/pki/qemu/client-key.pem
chgrp qemu /etc/pki/qemu/client-*
chmod 0640 /etc/pki/qemu/client-cert.pem
chmod 0640 /etc/pki/qemu/client-key.pem
systemctl reload tripleo_nova_libvirt
key_size:
if:
- key_size_qemu_client_override_set
- {get_param: QemuClientCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
list_concat:
- {get_attr: [NovaLibvirtLogging, host_prep_tasks]}
- - name: create libvirt persistent data directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype | default(omit) }}"
with_items:
- { 'path': /etc/libvirt, 'setype': container_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': container_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': container_file_t }
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
- { 'path': /var/cache/libvirt }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- { 'path': /run/libvirt, 'setype': virt_var_run_t }
- { 'path': /var/log/libvirt, 'setype': container_file_t }
- { 'path': /var/log/libvirt/qemu, 'setype': container_file_t }
# qemu user on host will be cretaed by libvirt package install, ensure
# the qemu user created with same uid/gid as like libvirt package.
# These specific values are required since ovs is running on host.
# Once ovs with DPDK is containerized, we could modify this uid/gid
# to match with kolla config values.
- name: ensure qemu group is present on the host
group:
name: qemu
gid: 107
state: present
- name: ensure qemu user is present on the host
user:
name: qemu
uid: 107
group: qemu
state: present
shell: /sbin/nologin
comment: qemu user
- name: create directory for vhost-user sockets with qemu ownership
file:
path: /var/lib/vhost_sockets
state: directory
owner: qemu
group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
setype: virt_cache_t
seuser: system_u
- name: ensure ceph configurations exist
file:
path: {get_param: CephConfigPath}
state: directory
- name: check if libvirt is installed
command: /usr/bin/rpm -q libvirt-daemon
failed_when: false
register: libvirt_installed
check_mode: no
- name: make sure libvirt services are disabled and masked
service:
name: "{{ item }}"
state: stopped
enabled: no
masked: yes
daemon_reload: yes
with_items:
- libvirtd.service
- virtlogd.socket
when: libvirt_installed.rc == 0
- name: ensure /run/libvirt is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-libvirt.conf
content: |
d /run/libvirt 0755 root root - -
metadata_settings:
list_concat:
- if:
- {get_param: EnableInternalTLS}
- - service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: qemu
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
upgrade_tasks:
- name: nova_libvirt_container_tmpfile_cleanup
when: step|int == 1
block: &nova_libvirt_container_tmpfile_cleanup
- name: Remove old tmpfiles.d config
file:
path: /etc/tmpfiles.d/var-run-libvirt.conf
state: absent
update_tasks:
- name: nova_libvirt_container_tmpfile_cleanup
when: step|int == 1
block: *nova_libvirt_container_tmpfile_cleanup

158
deployment/nova/nova-virt-common.yaml Normal file
View File

@ -0,0 +1,158 @@
heat_template_version: wallaby
description: >
Contains a static list of common things necessary for containers
parameters:
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
CinderRbdMultiConfig:
type: json
default: {}
description: |
Dictionary of settings when configuring multiple RBD backends. The
hash key is the backend name, and the value is a dictionary of parameter
values unique to that backend. The following parameters are required,
and must match the corresponding value defined in CephExternalMultiConfig.
CephClusterName (must match the CephExternalMultiConfig entry's 'cluster')
CephClusterFSID (must match the CephExternalMultiConfig entry's 'fsid')
The following parameters are optional, and override the corresponding
parameter's default value.
CephClientUserName
CinderRbdPoolName
CinderRbdExtraPools
CinderRbdAvailabilityZone
CinderRbdFlattenVolumeFromSnapshot
CephConfigPath:
type: string
default: "/var/lib/tripleo-config/ceph"
description: |
The path where the Ceph Cluster config files are stored on the host.
QemuMemoryBackingDir:
type: string
description: >
Directory used for memoryBacking source if configured as file.
NOTE: big files will be stored here
default: ''
tags:
- role_specific
conditions:
memory_backing_dir_set:
not:
and:
- {equals: [{get_param: QemuMemoryBackingDir}, '']}
- {equals: [{get_param: [RoleParameters, QemuMemoryBackingDir]}, '']}
outputs:
kolla_config_files:
description: Common kolla config_files.
value:
list_concat:
-
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
kolla_permissions:
description: Common kolla permissions.
value:
list_concat:
- - path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
- repeat:
template:
path: /etc/ceph/<%keyring%>
owner: nova:nova
perm: '0600'
for_each:
<%keyring%>:
yaql:
expression: let(u => $.data.default_user) -> $.data.multiconfig.values().select("{0}.client.{1}.keyring".format($.CephClusterName, $.get("CephClientUserName", $u)))
data:
default_user: {get_param: CephClientUserName}
multiconfig: {get_param: CinderRbdMultiConfig}
volumes:
description: Common volumes for all moduler virt daemons.
value:
list_concat:
- - /lib/modules:/lib/modules:ro
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /sys/fs/selinux:/sys/fs/selinux
- /etc/selinux/config:/etc/selinux/config:ro
- /etc/libvirt:/etc/libvirt:shared
- /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
- /run/libvirt:/run/libvirt:shared
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
- /var/cache/libvirt:/var/cache/libvirt:shared
- /var/lib/vhost_sockets:/var/lib/vhost_sockets
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- list_join:
- ':'
- - {get_param: CephConfigPath}
- - '/var/lib/kolla/config_files/src-ceph'
- - 'ro'
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/CA/cacert.pem:/etc/pki/CA/cacert.pem:ro
- /etc/pki/libvirt:/etc/pki/libvirt:ro
- /etc/pki/qemu:/etc/pki/qemu:ro
- if:
- memory_backing_dir_set
- - str_replace:
template: "MEMORY_BACKING_DIR:MEMORY_BACKING_DIR"
params:
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}

2
overcloud-resource-registry-puppet.j2.yaml
View File

@ -191,7 +191,7 @@ resource_registry:
OS::TripleO::Services::NovaApi: deployment/nova/nova-api-container-puppet.yaml
OS::TripleO::Services::NovaCompute: deployment/nova/nova-compute-container-puppet.yaml
OS::TripleO::Services::NovaConductor: deployment/nova/nova-conductor-container-puppet.yaml
OS::TripleO::Services::NovaLibvirt: deployment/nova/nova-libvirt-container-puppet.yaml
OS::TripleO::Services::NovaLibvirt: deployment/nova/nova-modular-libvirt-container-puppet.yaml
OS::TripleO::Services::NovaLibvirtGuests: deployment/nova/nova-libvirt-guests-container-puppet.yaml
OS::TripleO::Services::NovaManager: deployment/nova/nova-manager-container-puppet.yaml
OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml

31
releasenotes/notes/modular-libvirt-daemons-b5ad6043d6510077.yaml Normal file
View File

@ -0,0 +1,31 @@
---
features:
- |
This change adds functionality to enable modular libvirt daemons.
All these daemons runs in its respective container. Also the default
configuration is to use modular libvirt daemons instead of monolithic libvirt
daemon.
Here is the list of libvirt daemon which are added in this change.
- virtnodedevd
- virtproxyd
- virtqemud
- virtsecretd
- virtstoraged
It's possible to define the individual log filters for each one of these daemon
using the following new parameters:
- ``LibvirtVirtlogdLogFilters``
- ``LibvirtVirtsecretdLogFilters``
- ``LibvirtVirtnodedevdLogFilters``
- ``LibvirtVirtstoragedLogFilters``
- ``LibvirtVirtqemudLogFilters``
- ``LibvirtVirtproxydLogFilters``
More information regarding modular libvirt daemons is available here.
`Libvirt Daemons <https://libvirt.org/daemons.html>` _.
deprecations:
- |
This change deprecates the nova-libvirt-container-puppet.yaml heat-template
which configures monolithic modular libvirt daemon.
The newly added heat-template for modular libvirt daemons will be used to
configure libvirt services in different containers.