diff --git a/docker/services/logging/files/nova-metadata.yaml b/docker/services/logging/files/nova-metadata.yaml new file mode 100644 index 0000000000..ee7e2ac1ff --- /dev/null +++ b/docker/services/logging/files/nova-metadata.yaml @@ -0,0 +1,46 @@ +heat_template_version: rocky + +description: > + Template for nova-metadata's logging to files + +parameters: + DockerNovaMetadataImage: + description: image + type: string + +outputs: + config_settings: + description: Extra hieradata needed to log to files in the host. + value: null + volumes: + description: The volumes needed to log to files in the host. + value: &nova_metadata_volumes + - /var/log/containers/nova:/var/log/nova + - /var/log/containers/httpd/nova-metadata:/var/log/httpd + docker_config: + description: Extra containers needed for logging to files in the host. + value: + step_2: + nova_metadata_init_logs: + image: {get_param: DockerNovaMetadataImage} + privileged: false + user: root + volumes: *nova_metadata_volumes + command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova'] + host_prep_tasks: + description: Extra ansible tasks needed for logging to files in the host. + value: + - name: create persistent logs directory + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/nova + - /var/log/containers/httpd/nova-metadata + - name: nova logs readme + copy: + dest: /var/log/nova/readme.txt + content: | + Log files from nova containers can be found under + /var/log/containers/nova and /var/log/containers/httpd/nova-*. + ignore_errors: true diff --git a/docker/services/logging/stdout/nova-metadata.yaml b/docker/services/logging/stdout/nova-metadata.yaml new file mode 100644 index 0000000000..8bfda7b6f3 --- /dev/null +++ b/docker/services/logging/stdout/nova-metadata.yaml @@ -0,0 +1,60 @@ +heat_template_version: rocky + +description: > + Template for nova-metadata's logging to stdout + +parameters: + DockerNovaMetadataImage: + description: image + type: string + +outputs: + config_settings: + description: Extra hieradata needed to log to stdout. + value: + nova::wsgi::apache_metadata::access_log_file: /var/log/httpd/access.log + nova::wsgi::apache_metadata::error_log_file: /var/log/httpd/error_log + volumes: + description: The volumes needed to log to stdout or a sidecar container. + value: + - NovaMetadataLogs:/var/log/ + docker_config: + description: Extra containers needed for logging to stdout or a sidecar container. + value: + step_2: + nova_metadata_apache_error_logs: + start_order: 1 + image: {get_param: DockerNovaMetadataImage} + user: root + privileged: false + restart: always + healthcheck: + test: '[ -p /var/log/httpd/error_log ]' + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && rm -f /var/log/httpd/error_log && mkfifo /var/log/httpd/error_log && while true; do cat /var/log/httpd/error_log; done'] + volumes: + - NovaMetadataLogs:/var/log/ + nova_metadata_apache_access_logs: + start_order: 1 + image: {get_param: DockerNovaMetadataImage} + user: root + privileged: false + restart: always + healthcheck: + test: '[ -p /var/log/httpd/access.log ]' + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && rm -f /var/log/httpd/access.log && mkfifo /var/log/httpd/access.log && while true; do cat /var/log/httpd/access.log; done'] + volumes: + - NovaMetadataLogs:/var/log/ + nova_metadata_logs: + start_order: 2 + image: {get_param: DockerNovaMetadataImage} + user: nova + privileged: false + restart: always + healthcheck: + test: '[ -p /var/log/nova/nova-metadata-api.log ]' + command: ['/bin/bash', '-c', 'mkdir -p /var/log/nova && rm -f /var/log/nova/nova-metadata-api.log && mkfifo /var/log/nova/nova-metadata-api.log && while true; do cat /var/log/nova/nova-metadata-api.log; done'] + volumes: + - NovaMetadataLogs:/var/log/ + host_prep_tasks: + description: Extra ansible tasks needed for logging to files in the host. + value: null diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml index bd1f8b5673..8ea8a7370f 100644 --- a/docker/services/nova-metadata.yaml +++ b/docker/services/nova-metadata.yaml @@ -7,7 +7,7 @@ parameters: DockerNovaMetadataImage: description: image type: string - DockerNovaConfigImage: + DockerNovaMetadataConfigImage: description: The container image to use for the nova config_volume type: string NovaMetadataLoggingSource: @@ -41,12 +41,22 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainersCommon: type: ./containers-common.yaml + MySQLClient: + type: ../../puppet/services/database/mysql-client.yaml + NovaMetadataBase: type: ../../puppet/services/nova-metadata.yaml properties: @@ -57,11 +67,8 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} - NovaLogging: - type: OS::TripleO::Services::Logging::NovaCommon - properties: - DockerNovaImage: {get_param: DockerNovaMetadataImage} - NovaServiceName: 'metadata' + NovaMetadataLogging: + type: OS::TripleO::Services::Logging::NovaMetadata outputs: role_data: @@ -71,7 +78,8 @@ outputs: config_settings: map_merge: - get_attr: [NovaMetadataBase, role_data, config_settings] - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaMetadataLogging, config_settings] + - apache::default_vhost: false logging_source: {get_attr: [NovaMetadataBase, role_data, logging_source]} service_config_settings: map_merge: @@ -83,18 +91,17 @@ outputs: - {get_param: NovaMetadataLoggingSource} # BEGIN DOCKER SETTINGS puppet_config: - config_volume: nova + config_volume: nova_metadata puppet_tags: nova_config step_config: - get_attr: [NovaMetadataBase, role_data, step_config] - config_image: {get_param: DockerNovaConfigImage} + list_join: + - "\n" + - - {get_attr: [NovaMetadataBase, role_data, step_config]} + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: {get_param: DockerNovaMetadataConfigImage} kolla_config: /var/lib/kolla/config_files/nova_metadata.json: - command: - list_join: - - ' ' - - - /usr/bin/nova-api-metadata - - get_attr: [NovaLogging, cmd_extra_args] + command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" @@ -106,65 +113,35 @@ outputs: recurse: true docker_config: step_2: - get_attr: [NovaLogging, docker_config, step_2] + get_attr: [NovaMetadataLogging, docker_config, step_2] step_4: nova_metadata: start_order: 2 - image: &nova_metadata_image {get_param: DockerNovaMetadataImage} + image: {get_param: DockerNovaMetadataImage} net: host - user: nova - privileged: true + user: root restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - {get_attr: [NovaLogging, volumes]} + - {get_attr: [NovaMetadataLogging, volumes]} - - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/puppet-generated/nova_metadata/:/var/lib/kolla/config_files/src:ro + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS metadata_settings: get_attr: [NovaMetadataBase, role_data, metadata_settings] - host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]} - upgrade_tasks: - - when: step|int == 0 - tags: common - block: - - name: Check if nova_api_metadata is deployed - command: systemctl is-enabled --quiet openstack-nova-api - ignore_errors: True - register: nova_metadata_enabled_result - - name: Set fact nova_metadata_enabled - set_fact: - nova_metadata_enabled: "{{ nova_metadata_enabled_result.rc == 0 }}" - - name: "PreUpgrade step0,validation: Check service openstack-nova-api is running" - command: systemctl is-active --quiet openstack-nova-api - tags: validation - when: nova_metadata_enabled|bool - - when: step|int == 2 - block: - - name: Stop and disable nova_api service - when: nova_metadata_enabled|bool - service: name=openstack-nova-api state=stopped enabled=no - fast_forward_upgrade_tasks: - - when: - - step|int == 0 - - release == 'ocata' - block: - - name: Check if nova_api_metadata is deployed - command: systemctl is-enabled --quiet openstack-nova-api - tags: common - ignore_errors: True - register: nova_metadata_enabled_result - - name: Set fact nova_metadata_enabled - set_fact: - nova_metadata_enabled: "{{ nova_metadata_enabled_result.rc == 0 }}" - - name: Stop and disable nova_api service - when: - - step|int == 1 - - release == 'ocata' - - nova_metadata_enabled|bool - service: name=openstack-nova-api state=stopped enabled=no + host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]} diff --git a/environments/stdout-logging.yaml b/environments/stdout-logging.yaml index 36becb8635..2d7f4e5d82 100644 --- a/environments/stdout-logging.yaml +++ b/environments/stdout-logging.yaml @@ -13,5 +13,6 @@ resource_registry: OS::TripleO::Services::Logging::NovaApi: ../docker/services/logging/stdout/nova-api.yaml OS::TripleO::Services::Logging::NovaCommon: ../docker/services/logging/stdout/nova-common.yaml OS::TripleO::Services::Logging::NovaPlacement: ../docker/services/logging/stdout/nova-placement.yaml + OS::TripleO::Services::Logging::NovaMetadata: ../docker/services/logging/stdout/nova-metadata.yaml OS::TripleO::Services::Logging::NovaLibvirt: ../docker/services/logging/stdout/nova-libvirt.yaml OS::TripleO::Services::Logging::PankoApi: ../docker/services/logging/stdout/panko-api.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 7ad478f48e..44860315ce 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -343,6 +343,7 @@ resource_registry: OS::TripleO::Services::Logging::NeutronApi: docker/services/logging/files/neutron-api.yaml OS::TripleO::Services::Logging::NeutronCommon: docker/services/logging/files/neutron-common.yaml OS::TripleO::Services::Logging::NovaApi: docker/services/logging/files/nova-api.yaml + OS::TripleO::Services::Logging::NovaMetadata: docker/services/logging/files/nova-metadata.yaml OS::TripleO::Services::Logging::NovaCommon: docker/services/logging/files/nova-common.yaml OS::TripleO::Services::Logging::NovaLibvirt: OS::Heat::None OS::TripleO::Services::Logging::NovaPlacement: docker/services/logging/files/nova-placement.yaml diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index db2c457ebe..24f4183f83 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -1,7 +1,7 @@ heat_template_version: rocky description: > - OpenStack Nova API service configured with Puppet + OpenStack Nova Metadata API service configured with Puppet parameters: ServiceData: @@ -34,75 +34,122 @@ parameters: default: 0 description: Number of workers for Nova services. type: number - EnableInternalTLS: - type: boolean - default: false + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + NeutronMetadataProxySharedSecret: + description: Shared secret to prevent spoofing + type: string + hidden: true + MonitoringSubscriptionNovaMetadata: + default: 'overcloud-nova-metadata' + type: string NovaMetadataLoggingSource: type: json default: - tag: openstack.nova.api.metadata - path: /var/log/nova/nova-api-metadata.log + tag: openstack.nova.metadata + path: /var/log/httpd/nova_metadata_wsgi_error_ssl.log + EnableInternalTLS: + type: boolean + default: false conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} - use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} - resources: + ApacheServiceBase: + type: ./apache.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} - TLSProxyBase: - type: OS::TripleO::Services::TLSProxyBase + NovaBase: + type: ./nova-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} - EnableInternalTLS: {get_param: EnableInternalTLS} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Nova Metadata service. value: service_name: nova_metadata + monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata} config_settings: map_merge: - - get_attr: [TLSProxyBase, role_data, config_settings] - - nova::api::metadata_listen: - if: - - use_tls_proxy - - 'localhost' - - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] + - tripleo.nova_placement.firewall_rules: + '139 nova_metadata': + dport: + - 8775 + - 13775 + nova::keystone::authtoken::project_name: 'service' + nova::keystone::authtoken::password: {get_param: NovaPassword} + nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + nova::metadata::enable_proxy_headers_parsing: true + nova_metadata_wsgi_enabled: true + nova::wsgi::apache_metadata::api_port: '8775' + nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS} + # NOTE: bind IP is found in Heat replacing the network name with the local node IP + # for the given network; replacement examples (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + nova::wsgi::apache_metadata::bind_host: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + nova::wsgi::apache_metadata::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - if: - nova_workers_zero - {} - - nova::api::metadata_workers: {get_param: NovaWorkers} - - - if: - - use_tls_proxy - - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} - - {} - step_config: "" + - nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers} + step_config: | + include tripleo::profile::base::nova::metadata service_config_settings: fluentd: tripleo_fluentd_groups_nova_metadata: - nova tripleo_fluentd_sources_nova_metadata: - {get_param: NovaMetadataLoggingSource} - metadata_settings: - get_attr: [TLSProxyBase, role_data, metadata_settings] + keystone: + nova::keystone::auth::tenant: 'service' + nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]} + nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]} + nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} + nova::keystone::auth::password: {get_param: NovaPassword} + nova::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + map_merge: + - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} + - nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/releasenotes/notes/nova_metadata_wsgi-bfb240bc84194d05.yaml b/releasenotes/notes/nova_metadata_wsgi-bfb240bc84194d05.yaml new file mode 100644 index 0000000000..c8280452ec --- /dev/null +++ b/releasenotes/notes/nova_metadata_wsgi-bfb240bc84194d05.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Usage of eventlet of all the WSGI-run nova services get + deprecated, including nova-api and nova-metadata-api. + See https://review.openstack.org/#/c/549510/ for more details. + With this change we move nova-metadata to run via httpd wsgi.