diff --git a/deployment/nova/nova-compute-common-container-puppet.yaml b/deployment/nova/nova-compute-common-container-puppet.yaml index 76f41567de..b8b9a4239e 100644 --- a/deployment/nova/nova-compute-common-container-puppet.yaml +++ b/deployment/nova/nova-compute-common-container-puppet.yaml @@ -49,13 +49,4 @@ outputs: content: { get_file: ../../docker_config_scripts/nova_wait_for_placement_service.py } nova_cell_v2_discover_host.py: mode: "0700" - content: - str_replace: - template: { get_file: ../../docker_config_scripts/nova_cell_v2_discover_host.py } - params: - __OS_PROJECT_DOMAIN_NAME: 'Default' - __OS_PROJECT_USER_NAME: 'Default' - __OS_PROJECT_NAME: 'service' - __OS_USERNAME: 'nova' - __OS_PASSWORD: {get_param: NovaPassword} - __OS_AUTH_URL: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + content: { get_file: ../../docker_config_scripts/nova_cell_v2_discover_host.py } diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 6292701994..64ab1a669b 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -559,6 +559,7 @@ outputs: list_concat: - {get_attr: [ContainersCommon, volumes]} - + - /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro - /var/log/containers/nova:/var/log/nova - /var/lib/docker-config-scripts/:/docker-config-scripts/ diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 07a37b3a59..88507ed796 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -104,6 +104,10 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + InternalTLSQemuCAFile: + default: '/etc/pki/CA/certs/qemu.pem' + type: string + description: Specifies the CA cert to use for qemu. LibvirtCACert: type: string default: '' @@ -116,6 +120,16 @@ parameters: the InternalTLSCAFile parameter) is not desired. The current default reflects TripleO's default CA, which is FreeIPA. It will only be used if internal TLS is enabled. + QemuCACert: + type: string + default: '' + description: This specifies the CA certificate to use for qemu. + This file will be symlinked to the default CA path, + which is /etc/pki/qemu/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSQemuCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. LibvirtVncCACert: type: string default: '' @@ -251,6 +265,11 @@ conditions: - {get_param: LibvirtNbdCACert} - '' + qemu_specific_ca_unset: + equals: + - {get_param: QemuCACert} + - '' + docker_enabled: equals: - {get_param: ContainerCli} @@ -265,7 +284,7 @@ resources: map_replace: - map_replace: - vhostuser_socket_group: VhostuserSocketGroup - memory_backing_dir: QemuMemoryBackingDir + nova::compute::libvirt::qemu::memory_backing_dir: QemuMemoryBackingDir - values: {get_param: [RoleParameters]} - values: VhostuserSocketGroup: {get_param: VhostuserSocketGroup} @@ -437,6 +456,58 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - {} + - + if: + - use_tls_for_nbd + - + nova::compute::libvirt::qemu::nbd_tls: true + nova::migration::libvirt::live_migration_with_native_tls: true + tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu' + tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd' + generate_service_certificates: true + tripleo::certmonger::ca::qemu::origin_ca_pem: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - get_param: QemuCACert + qemu_certificates_specs: + qemu-server-cert: + cacertfile: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - null + service_certificate: '/etc/pki/qemu/server-cert.pem' + service_key: '/etc/pki/qemu/server-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + qemu-nbd-client-cert: + cacertfile: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - null + service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' + service_key: '/etc/pki/libvirt-nbd/client-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} puppet_config: config_volume: nova_libvirt puppet_tags: libvirtd_config,nova_config,file,libvirt_tls_password diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml deleted file mode 100644 index 5694cd8b87..0000000000 --- a/puppet/services/nova-libvirt.yaml +++ /dev/null @@ -1,454 +0,0 @@ -heat_template_version: rocky - -description: > - Libvirt service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - CephClusterName: - type: string - default: ceph - description: The Ceph cluster name. - constraints: - - allowed_pattern: "[a-zA-Z0-9]+" - description: > - The Ceph cluster name must be at least 1 character and contain only - letters and numbers. - CephClientUserName: - default: openstack - type: string - CephClientKey: - description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. - type: string - hidden: true - CephClusterFSID: - type: string - description: The Ceph cluster FSID. Must be a UUID. - CinderEnableRbdBackend: - default: false - description: Whether to enable or not the Rbd backend for Cinder - type: boolean - NovaComputeLibvirtType: - type: string - default: kvm - LibvirtEnabledPerfEvents: - type: comma_delimited_list - default: [] - description: This is a performance event list which could be used as monitor. - For example - ``enabled_perf_events = cmt, mbml, mbmt`` - The supported events list can be found in - https://libvirt.org/html/libvirt-libvirt-domain.html , - which you may need to search key words ``VIR_PERF_PARAM_*`` - MonitoringSubscriptionNovaLibvirt: - default: 'overcloud-nova-libvirt' - type: string - EnableInternalTLS: - type: boolean - default: false - UseTLSTransportForLiveMigration: - type: boolean - default: true - description: If set to true and if EnableInternalTLS is enabled, it will - set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. - UseTLSTransportForVnc: - type: boolean - default: true - description: If set to true and if EnableInternalTLS is enabled, it will - enable TLS transaport for libvirt VNC and configure the - relevant keys for libvirt. - UseTLSTransportForNbd: - type: boolean - default: true - description: If set to true and if EnableInternalTLS is enabled, it will - enable TLS transaport for libvirt NBD and configure the - relevant keys for libvirt. - InternalTLSCAFile: - default: '/etc/ipa/ca.crt' - type: string - description: Specifies the default CA cert to use if TLS is used for - services in the internal network. - InternalTLSVncCAFile: - default: '/etc/pki/CA/certs/vnc.crt' - type: string - description: Specifies the CA cert to use for VNC TLS. - InternalTLSQemuCAFile: - default: '/etc/pki/CA/certs/qemu.pem' - type: string - description: Specifies the CA cert to use for qemu. - LibvirtCACert: - type: string - default: '' - description: This specifies the CA certificate to use for TLS in libvirt. - This file will be symlinked to the default CA path in libvirt, - which is /etc/pki/CA/cacert.pem. Note that due to limitations - GNU TLS, which is the TLS backend for libvirt, the file must - be less than 65K (so we can't use the system's CA bundle). - This parameter should be used if the default (which comes from - the InternalTLSCAFile parameter) is not desired. The current - default reflects TripleO's default CA, which is FreeIPA. - It will only be used if internal TLS is enabled. - LibvirtVncCACert: - type: string - default: '' - description: This specifies the CA certificate to use for VNC TLS. - This file will be symlinked to the default CA path, - which is /etc/pki/libvirt-vnc/ca-cert.pem. - This parameter should be used if the default (which comes from - the InternalTLSVncCAFile parameter) is not desired. The current - default reflects TripleO's default CA, which is FreeIPA. - It will only be used if internal TLS is enabled. - QemuCACert: - type: string - default: '' - description: This specifies the CA certificate to use for qemu. - This file will be symlinked to the default CA path, - which is /etc/pki/qemu/ca-cert.pem. - This parameter should be used if the default (which comes from - the InternalTLSQemuCAFile parameter) is not desired. The current - default reflects TripleO's default CA, which is FreeIPA. - It will only be used if internal TLS is enabled. - MigrationSshKey: - type: json - description: > - SSH key for migration. - Expects a dictionary with keys 'public_key' and 'private_key'. - Values should be identical to SSH public/private key files. - default: - public_key: '' - private_key: '' - MigrationSshPort: - default: 2022 - description: Target port for migration over ssh - type: number - LibvirtTLSPassword: - description: The password for the libvirt service when TLS is enabled - type: string - hidden: true - QemuMemoryBackingDir: - type: string - description: > - Directory used for memoryBacking source if configured as file. - NOTE: big files will be stored here - default: '' - tags: - - role_specific - -conditions: - - use_tls_for_live_migration: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForLiveMigration} - - true - - libvirt_specific_ca_unset: - equals: - - {get_param: LibvirtCACert} - - '' - - use_tls_for_vnc: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForVnc} - - true - - libvirt_vnc_specific_ca_unset: - equals: - - {get_param: LibvirtVncCACert} - - '' - - use_tls_for_nbd: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForNbd} - - true - - qemu_specific_ca_unset: - equals: - - {get_param: QemuCACert} - - '' - -resources: - NovaBase: - type: ./nova-base.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - # Merging role-specific parameters (RoleParameters) with the default parameters. - # RoleParameters will have the precedence over the default parameters. - RoleParametersValue: - type: OS::Heat::Value - properties: - type: json - value: - map_replace: - - map_replace: - - nova::compute::libvirt::qemu::memory_backing_dir: QemuMemoryBackingDir - - values: {get_param: [RoleParameters]} - - values: - QemuMemoryBackingDir: {get_param: QemuMemoryBackingDir} - -outputs: - role_data: - description: Role data for the Libvirt service. - value: - service_name: nova_libvirt - monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt} - config_settings: - map_merge: - - get_attr: [NovaBase, role_data, config_settings] - - get_attr: [RoleParametersValue, value] - # we include ::nova::compute::libvirt::services in nova/libvirt profile - - nova::compute::libvirt::manage_libvirt_services: false - # we manage migration in nova common puppet profile - nova::compute::libvirt::migration_support: false - nova::compute::rbd::libvirt_images_rbd_ceph_conf: - list_join: - - '' - - - '/etc/ceph/' - - {get_param: CephClusterName} - - '.conf' - nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} - nova::compute::rbd::rbd_keyring: - list_join: - - '.' - - - 'client' - - {get_param: CephClientUserName} - nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey} - nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID} - tripleo::profile::base::nova::migration::client::libvirt_enabled: true - tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]} - tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort} - nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType} - nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType} - nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents} - nova::compute::libvirt::qemu::configure_qemu: true - nova::compute::libvirt::qemu::max_files: 32768 - nova::compute::libvirt::qemu::max_processes: 131072 - nova::migration::qemu::configure_qemu: true - nova::migration::qemu::migration_port_min: 61152 - nova::migration::qemu::migration_port_max: 61215 - nova::compute::libvirt::vncserver_listen: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - rbd_persistent_storage: {get_param: CinderEnableRbdBackend} - tripleo::nova_libvirt::firewall_rules: - '200 nova_libvirt': - dport: - - 16514 - - '61152-61215' - - '5900-6923' - - - - if: - - use_tls_for_live_migration - - - generate_service_certificates: true - tripleo::profile::base::nova::migration::client::libvirt_tls: true - tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]} - nova::migration::libvirt::listen_address: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - nova::migration::libvirt::live_migration_inbound_addr: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - tripleo::certmonger::ca::libvirt::origin_ca_pem: - if: - - libvirt_specific_ca_unset - - get_param: InternalTLSCAFile - - get_param: LibvirtCACert - tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' - tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' - libvirt_certificates_specs: - libvirt-server-cert: - service_certificate: '/etc/pki/libvirt/servercert.pem' - service_key: '/etc/pki/libvirt/private/serverkey.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "libvirt/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - libvirt-client-cert: - service_certificate: '/etc/pki/libvirt/clientcert.pem' - service_key: '/etc/pki/libvirt/private/clientkey.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "libvirt/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - - - nova::migration::libvirt::live_migration_inbound_addr: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - - - if: - - use_tls_for_vnc - - - nova::compute::libvirt::qemu::vnc_tls: true - nova::compute::libvirt::qemu::vnc_tls_verify: true - generate_service_certificates: true - tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: - if: - - libvirt_vnc_specific_ca_unset - - get_param: InternalTLSVncCAFile - - get_param: LibvirtVncCACert - tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' - libvirt_vnc_certificates_specs: - libvirt-vnc-server-cert: - cacertfile: - if: - - libvirt_vnc_specific_ca_unset - - get_param: InternalTLSVncCAFile - - null - service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem' - service_key: '/etc/pki/libvirt-vnc/server-key.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - - {} - - - if: - - use_tls_for_nbd - - - nova::compute::libvirt::qemu::nbd_tls: true - nova::migration::libvirt::live_migration_with_native_tls: true - tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu' - tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd' - generate_service_certificates: true - tripleo::certmonger::ca::qemu::origin_ca_pem: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - get_param: QemuCACert - qemu_certificates_specs: - qemu-server-cert: - cacertfile: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - null - service_certificate: '/etc/pki/qemu/server-cert.pem' - service_key: '/etc/pki/qemu/server-key.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "qemu/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - qemu-nbd-client-cert: - cacertfile: - if: - - qemu_specific_ca_unset - - get_param: InternalTLSQemuCAFile - - null - service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' - service_key: '/etc/pki/libvirt-nbd/client-key.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - principal: - str_replace: - template: "qemu/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - - {} - step_config: | - include tripleo::profile::base::nova::libvirt - metadata_settings: - list_concat: - - if: - - use_tls_for_live_migration - - - - service: libvirt - network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - type: node - - null - - if: - - use_tls_for_vnc - - - - service: libvirt-vnc - network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - type: node - - null - - if: - - use_tls_for_nbd - - - - service: qemu - network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - type: node - - null