diff --git a/docker/services/messaging/notify-rabbitmq-shared.yaml b/docker/services/messaging/notify-rabbitmq-shared.yaml index bda313e604..4262459ead 100644 --- a/docker/services/messaging/notify-rabbitmq-shared.yaml +++ b/docker/services/messaging/notify-rabbitmq-shared.yaml @@ -30,25 +30,38 @@ parameters: default: {} description: Parameters specific to the role type: json + RpcPort: + default: 5672 + description: The network port for messaging backend + type: number + RpcUserName: + default: guest + description: The username for messaging backend + type: string + RpcPassword: + description: The password for messaging backend + type: string + hidden: true + RpcUseSSL: + default: false + description: > + Messaging client subscriber parameter to specify + an SSL connection to the messaging host. + type: string resources: ContainersCommon: type: ../containers-common.yaml - RabbitmqBase: - type: ../../../puppet/services/messaging/notify-rabbitmq-shared.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - outputs: role_data: description: Role data for the oslo messaging notify role. value: - service_name: {get_attr: [RabbitmqBase, role_data, service_name]} - global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]} + service_name: oslo_messaging_notify + global_config_settings: + oslo_messaging_notify_scheme: rabbit + oslo_messaging_notify_user_name: {get_param: RpcUserName} + oslo_messaging_notify_password: {get_param: RpcPassword} + oslo_messaging_notify_use_ssl: {get_param: RpcUseSSL} + oslo_messaging_notify_port: {get_param: RpcPort} diff --git a/docker/services/messaging/notify-rabbitmq.yaml b/docker/services/messaging/notify-rabbitmq.yaml index 368fdb870d..26293e6b9f 100644 --- a/docker/services/messaging/notify-rabbitmq.yaml +++ b/docker/services/messaging/notify-rabbitmq.yaml @@ -48,9 +48,25 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + NotifyPort: + default: 5672 + description: The network port for messaging Notify backend + type: number + NotifyUserName: + default: guest + description: The username for messaging Notifications + type: string + NotifyPassword: + description: The password for messaging Notifications + type: string + hidden: true + NotifyUseSSL: + default: false + description: Messaging Notification client subscriber parameter to specify + an SSL connection to the messaging host. + type: string conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -58,13 +74,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - RabbitmqBase: - type: ../../../puppet/services/messaging/notify-rabbitmq.yaml + RabbitMQServiceBase: + type: ../rabbitmq.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -72,18 +88,68 @@ outputs: role_data: description: Role data for the Rabbitmq API role. value: - service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + service_name: oslo_messaging_notify + monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} # RabbitMQ plugins initialization occurs on every node - global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]} + global_config_settings: + map_merge: + - get_attr: [RabbitMQServiceBase, role_data, global_config_settings] + - oslo_messaging_notify_scheme: rabbit + oslo_messaging_notify_user_name: {get_param: NotifyUserName} + oslo_messaging_notify_password: {get_param: NotifyPassword} + oslo_messaging_notify_use_ssl: {get_param: NotifyUseSSL} + oslo_messaging_notify_port: {get_param: NotifyPort} config_settings: map_merge: - - {get_attr: [RabbitmqBase, role_data, config_settings]} - - rabbitmq::admin_enable: false - - if: + - get_attr: [RabbitMQServiceBase, role_data, config_settings] + - rabbitmq::default_user: {get_param: NotifyUserName} + rabbitmq::default_pass: {get_param: NotifyPassword} + tripleo::oslo_messaging_notify::firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - {get_param: NotifyPort} + - 25672 + rabbitmq::port: {get_param: NotifyPort} + rabbitmq::interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} + rabbitmq::ssl_port: {get_param: NotifyPort} + rabbitmq::ssl_only: {get_param: EnableInternalTLS} + rabbitmq::ssl_interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + rabbitmq::admin_enable: false + - + if: - internal_tls_enabled - - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + - generate_service_certificates: true + tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" - {} - service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: rabbitmq @@ -91,7 +157,7 @@ outputs: list_join: - "\n" - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" - - get_attr: [RabbitmqBase, role_data, step_config] + - "include ::tripleo::profile::base::rabbitmq" config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage} kolla_config: /var/lib/kolla/config_files/rabbitmq.json: @@ -208,7 +274,13 @@ outputs: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:z metadata_settings: - get_attr: [RabbitmqBase, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} + type: node + - null host_prep_tasks: - name: create persistent directories file: diff --git a/docker/services/messaging/rpc-rabbitmq.yaml b/docker/services/messaging/rpc-rabbitmq.yaml index b144655829..0e3f492da9 100644 --- a/docker/services/messaging/rpc-rabbitmq.yaml +++ b/docker/services/messaging/rpc-rabbitmq.yaml @@ -48,9 +48,26 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + RpcPort: + default: 5672 + description: The network port for messaging backend + type: number + RpcUserName: + default: guest + description: The username for messaging backend + type: string + RpcPassword: + description: The password for messaging backend + type: string + hidden: true + RpcUseSSL: + default: false + description: > + Messaging client subscriber parameter to specify + an SSL connection to the messaging host. + type: string conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -58,13 +75,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - RabbitmqBase: - type: ../../../puppet/services/messaging/rpc-rabbitmq.yaml + RabbitMQServiceBase: + type: ../rabbitmq.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -72,18 +89,67 @@ outputs: role_data: description: Role data for the Rabbitmq API role. value: - service_name: {get_attr: [RabbitmqBase, role_data, service_name]} - # RabbitMQ plugins initialization occurs on every node - global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]} + service_name: oslo_messaging_rpc + monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} + global_config_settings: + map_merge: + - get_attr: [RabbitMQServiceBase, role_data, global_config_settings] + - oslo_messaging_rpc_scheme: rabbit + oslo_messaging_rpc_user_name: {get_param: RpcUserName} + oslo_messaging_rpc_password: {get_param: RpcPassword} + oslo_messaging_rpc_use_ssl: {get_param: RpcUseSSL} + oslo_messaging_rpc_port: {get_param: RpcPort } config_settings: map_merge: - - {get_attr: [RabbitmqBase, role_data, config_settings]} - - rabbitmq::admin_enable: false - - if: + - get_attr: [RabbitMQServiceBase, role_data, config_settings] + - rabbitmq::default_user: {get_param: RpcUserName} + rabbitmq::default_pass: {get_param: RpcPassword} + tripleo::oslo_messaging_rpc::firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - {get_param: RpcPort} + - 25672 + rabbitmq::port: {get_param: RpcPort} + rabbitmq::interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} + rabbitmq::ssl_port: {get_param: RpcPort} + rabbitmq::ssl_only: {get_param: EnableInternalTLS} + rabbitmq::ssl_interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + rabbitmq::admin_enable: false + - + if: - internal_tls_enabled - - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + - generate_service_certificates: true + tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" - {} - service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: rabbitmq @@ -91,7 +157,7 @@ outputs: list_join: - "\n" - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" - - get_attr: [RabbitmqBase, role_data, step_config] + - "include ::tripleo::profile::base::rabbitmq" config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage} kolla_config: /var/lib/kolla/config_files/rabbitmq.json: @@ -208,7 +274,13 @@ outputs: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:z metadata_settings: - get_attr: [RabbitmqBase, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} + type: node + - null host_prep_tasks: - name: create persistent directories file: diff --git a/docker/services/pacemaker/notify-rabbitmq.yaml b/docker/services/pacemaker/notify-rabbitmq.yaml index 731c02be56..1ac12e2290 100644 --- a/docker/services/pacemaker/notify-rabbitmq.yaml +++ b/docker/services/pacemaker/notify-rabbitmq.yaml @@ -71,7 +71,7 @@ resources: type: ../containers-common.yaml RabbitmqBase: - type: ../../../puppet/services/messaging/notify-rabbitmq.yaml + type: ../messaging/notify-rabbitmq.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} @@ -115,7 +115,7 @@ outputs: list_join: - "\n" - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" - - get_attr: [RabbitmqBase, role_data, step_config] + - "include ::tripleo::profile::base::rabbitmq" config_image: {get_param: DockerRabbitmqConfigImage} kolla_config: /var/lib/kolla/config_files/rabbitmq.json: diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml index 03c9588e6c..b3cf1dc1e0 100644 --- a/docker/services/pacemaker/rabbitmq.yaml +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -70,13 +70,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - RabbitmqBase: - type: ../../../puppet/services/rabbitmq.yaml + RabbitMQServiceBase: + type: ../rabbitmq.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -84,10 +84,12 @@ outputs: role_data: description: Role data for the Rabbitmq API role. value: - service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + service_name: rabbitmq + monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} config_settings: map_merge: - - {get_attr: [RabbitmqBase, role_data, config_settings]} + - get_attr: [RabbitMQServiceBase, role_data, config_settings] + - rabbitmq::service_manage: false - rabbitmq::service_manage: false tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image: &rabbitmq_image_pcmklatest list_join: @@ -257,7 +259,7 @@ outputs: echo 'export ERL_EPMD_PORT=4370' >> /etc/rabbitmq/rabbitmq-env.conf for pid in $(pgrep epmd --ns 1 --nslist pid); do kill $pid; done metadata_settings: - get_attr: [RabbitmqBase, role_data, metadata_settings] + get_attr: [RabbitMQServiceBase, role_data, metadata_settings] deploy_steps_tasks: - name: RabbitMQ tag container image for pacemaker when: step|int == 1 diff --git a/docker/services/pacemaker/rpc-rabbitmq.yaml b/docker/services/pacemaker/rpc-rabbitmq.yaml index b7a3cfe4c1..bf50f42331 100644 --- a/docker/services/pacemaker/rpc-rabbitmq.yaml +++ b/docker/services/pacemaker/rpc-rabbitmq.yaml @@ -71,7 +71,7 @@ resources: type: ../containers-common.yaml RabbitmqBase: - type: ../../../puppet/services/messaging/rpc-rabbitmq.yaml + type: ../messaging/rpc-rabbitmq.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 47e0d97bdd..e40f6a9080 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -48,6 +48,50 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitFDLimit: + default: 65536 + description: Configures RabbitMQ FD limit + type: number + RabbitIPv6: + default: false + description: Enable IPv6 in RabbitMQ + type: boolean + RabbitCookie: + type: string + default: '' + hidden: true + RabbitHAQueues: + description: + The number of HA queues to be configured in rabbit. The default is -1 which + translates to "ha-mode all". The special value 0 will be automatically + overridden to CEIL(N/2) where N is the number of nodes running rabbitmq. + default: 0 + type: number + RabbitNetTickTime: + description: + The number of seconds to configure the value of the erlang + net_ticktime kernel variable. + default: 15 + type: number + RabbitAdditionalErlArgs: + description: + Additional parameters passed to the Erlang subsystem. The string + needs to be enclosed in quotes twice. We default to +sbwt none + in order to have the erlang vm be less busy on spinlocks, but + we allow a simple way of overriding it. + default: "'+sbwt none'" + type: string + MonitoringSubscriptionRabbitmq: + default: 'overcloud-rabbitmq' + type: string conditions: @@ -58,31 +102,107 @@ resources: ContainersCommon: type: ./containers-common.yaml - RabbitmqBase: - type: ../../puppet/services/rabbitmq.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - outputs: role_data: description: Role data for the Rabbitmq API role. value: - service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + service_name: rabbitmq + monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} # RabbitMQ plugins initialization occurs on every node config_settings: map_merge: - - {get_attr: [RabbitmqBase, role_data, config_settings]} + - + rabbitmq::file_limit: {get_param: RabbitFDLimit} + rabbitmq::default_user: {get_param: RabbitUserName} + rabbitmq::default_pass: {get_param: RabbitPassword} + rabbit_ipv6: {get_param: RabbitIPv6} + tripleo::rabbitmq::firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 25672 + rabbitmq::delete_guest_user: false + rabbitmq::wipe_db_on_cookie_change: true + rabbitmq::port: 5672 + rabbitmq::package_provider: yum + rabbitmq::package_source: undef + rabbitmq::repos_ensure: false + rabbitmq::tcp_keepalive: true + rabbitmq_environment: + NODE_PORT: '' + NODE_IP_ADDRESS: '' + RABBITMQ_NODENAME: "rabbit@%{::hostname}" + RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true}]"' + RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: {get_param: RabbitAdditionalErlArgs} + 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" + rabbitmq_kernel_variables: + inet_dist_listen_min: '25672' + inet_dist_listen_max: '25672' + net_ticktime: {get_param: RabbitNetTickTime} + rabbitmq_config_variables: + cluster_partition_handling: 'ignore' + queue_master_locator: '<<"min-masters">>' + loopback_users: '[]' + rabbitmq::erlang_cookie: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: RabbitCookie} + - {get_param: [DefaultPasswords, rabbit_cookie]} + # NOTE: bind IP is found in hiera replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + rabbitmq::interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} + rabbitmq::ssl: {get_param: EnableInternalTLS} + rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} + rabbitmq::ssl_port: 5672 + rabbitmq::ssl_depth: 1 + rabbitmq::ssl_only: {get_param: EnableInternalTLS} + rabbitmq::ssl_interface: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + # TODO(jaosorior): Remove this once we set a proper default in + # puppet-tripleo + tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + tripleo::profile::base::rabbitmq::certificate_specs: + service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' + service_key: '/etc/pki/tls/private/rabbitmq.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + principal: + str_replace: + template: "rabbitmq/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} + postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + - {} - rabbitmq::admin_enable: false - if: - internal_tls_enabled - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here - {} - service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: rabbitmq @@ -90,7 +210,7 @@ outputs: list_join: - "\n" - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" - - get_attr: [RabbitmqBase, role_data, step_config] + - "include ::tripleo::profile::base::rabbitmq" config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage} kolla_config: /var/lib/kolla/config_files/rabbitmq.json: @@ -207,7 +327,13 @@ outputs: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /var/lib/rabbitmq:/var/lib/rabbitmq metadata_settings: - get_attr: [RabbitmqBase, role_data, metadata_settings] + if: + - internal_tls_enabled + - + - service: rabbitmq + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: node + - null host_prep_tasks: - name: create persistent directories file: diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml index f88747e8ec..b5c8d862f8 100644 --- a/environments/baremetal-services.yaml +++ b/environments/baremetal-services.yaml @@ -49,7 +49,7 @@ resource_registry: OS::TripleO::Services::NovaVncProxy: ../puppet/services/nova-vnc-proxy.yaml OS::TripleO::Services::PankoApi: ../deployment/panko/panko-api-container-puppet.yaml OS::TripleO::Services::Qdr: OS::Heat::None - OS::TripleO::Services::RabbitMQ: ../puppet/services/rabbitmq.yaml + OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml OS::TripleO::Services::Redis: ../puppet/services/database/redis.yaml OS::TripleO::Services::Sshd: ../deployment/sshd/sshd-baremetal-puppet.yaml OS::TripleO::Services::SwiftDispersion: ../deployment/swift/swift-dispersion-baremetal-puppet.yaml diff --git a/puppet/services/messaging/notify-rabbitmq-shared.yaml b/puppet/services/messaging/notify-rabbitmq-shared.yaml deleted file mode 100644 index 05f9e32df2..0000000000 --- a/puppet/services/messaging/notify-rabbitmq-shared.yaml +++ /dev/null @@ -1,63 +0,0 @@ -heat_template_version: rocky - -description: > - RabbitMQ service for messaging Notifications configured with Puppet - using a single shared rabbit backend - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - RpcPort: - default: 5672 - description: The network port for messaging backend - type: number - RpcUserName: - default: guest - description: The username for messaging backend - type: string - RpcPassword: - description: The password for messaging backend - type: string - hidden: true - RpcUseSSL: - default: false - description: > - Messaging client subscriber parameter to specify - an SSL connection to the messaging host. - type: string - -outputs: - role_data: - description: Role data for the OsloMessagingNotify role. - value: - service_name: oslo_messaging_notify - global_config_settings: - oslo_messaging_notify_scheme: rabbit - oslo_messaging_notify_user_name: {get_param: RpcUserName} - oslo_messaging_notify_password: {get_param: RpcPassword} - oslo_messaging_notify_use_ssl: {get_param: RpcUseSSL} - oslo_messaging_notify_port: {get_param: RpcPort} diff --git a/puppet/services/messaging/notify-rabbitmq.yaml b/puppet/services/messaging/notify-rabbitmq.yaml deleted file mode 100644 index e4764760d1..0000000000 --- a/puppet/services/messaging/notify-rabbitmq.yaml +++ /dev/null @@ -1,147 +0,0 @@ -heat_template_version: rocky - -description: > - RabbitMQ service for messaging Notifications configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - NotifyPort: - default: 5672 - description: The network port for messaging Notify backend - type: number - NotifyUserName: - default: guest - description: The username for messaging Notifications - type: string - NotifyPassword: - description: The password for messaging Notifications - type: string - hidden: true - NotifyUseSSL: - default: false - description: Messaging Notification client subscriber parameter to specify - an SSL connection to the messaging host. - type: string - EnableInternalTLS: - type: boolean - default: false - -resources: - RabbitMQServiceBase: - type: ../rabbitmq.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - -outputs: - role_data: - description: Role data for the OsloMessagingNotify role. - value: - service_name: oslo_messaging_notify - monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} - global_config_settings: - map_merge: - - get_attr: [RabbitMQServiceBase, role_data, global_config_settings] - - oslo_messaging_notify_scheme: rabbit - oslo_messaging_notify_user_name: {get_param: NotifyUserName} - oslo_messaging_notify_password: {get_param: NotifyPassword} - oslo_messaging_notify_use_ssl: {get_param: NotifyUseSSL} - oslo_messaging_notify_port: {get_param: NotifyPort} - config_settings: - map_merge: - - get_attr: [RabbitMQServiceBase, role_data, config_settings] - - rabbitmq::default_user: {get_param: NotifyUserName} - rabbitmq::default_pass: {get_param: NotifyPassword} - tripleo::oslo_messaging_notify::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - {get_param: NotifyPort} - - 25672 - rabbitmq::port: {get_param: NotifyPort} - rabbitmq::interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - rabbitmq::ssl: {get_param: EnableInternalTLS} - rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} - rabbitmq::ssl_port: {get_param: NotifyPort} - rabbitmq::ssl_only: {get_param: EnableInternalTLS} - rabbitmq::ssl_interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} - - - if: - - internal_tls_enabled - - generate_service_certificates: true - tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - tripleo::profile::base::rabbitmq::certificate_specs: - service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - service_key: '/etc/pki/tls/private/rabbitmq.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - principal: - str_replace: - template: "rabbitmq/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" - - {} - step_config: | - include ::tripleo::profile::base::rabbitmq - upgrade_tasks: - - name: Stop rabbitmq service - when: step|int == 2 - service: name=rabbitmq-server state=stopped - - name: Start rabbitmq service - when: step|int == 4 - service: name=rabbitmq-server state=started - metadata_settings: - if: - - internal_tls_enabled - - - - service: rabbitmq - network: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} - type: node - - null diff --git a/puppet/services/messaging/rpc-rabbitmq.yaml b/puppet/services/messaging/rpc-rabbitmq.yaml deleted file mode 100644 index 30f9e8018b..0000000000 --- a/puppet/services/messaging/rpc-rabbitmq.yaml +++ /dev/null @@ -1,148 +0,0 @@ -heat_template_version: rocky - -description: > - RabbitMQ service for messaging RPCs configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - RpcPort: - default: 5672 - description: The network port for messaging backend - type: number - RpcUserName: - default: guest - description: The username for messaging backend - type: string - RpcPassword: - description: The password for messaging backend - type: string - hidden: true - RpcUseSSL: - default: false - description: > - Messaging client subscriber parameter to specify - an SSL connection to the messaging host. - type: string - EnableInternalTLS: - type: boolean - default: false - -resources: - RabbitMQServiceBase: - type: ../rabbitmq.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - -outputs: - role_data: - description: Role data for the OsloMessagingRpc role. - value: - service_name: oslo_messaging_rpc - monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} - global_config_settings: - map_merge: - - get_attr: [RabbitMQServiceBase, role_data, global_config_settings] - - oslo_messaging_rpc_scheme: rabbit - oslo_messaging_rpc_user_name: {get_param: RpcUserName} - oslo_messaging_rpc_password: {get_param: RpcPassword} - oslo_messaging_rpc_use_ssl: {get_param: RpcUseSSL} - oslo_messaging_rpc_port: {get_param: RpcPort } - config_settings: - map_merge: - - get_attr: [RabbitMQServiceBase, role_data, config_settings] - - rabbitmq::default_user: {get_param: RpcUserName} - rabbitmq::default_pass: {get_param: RpcPassword} - tripleo::oslo_messaging_rpc::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - {get_param: RpcPort} - - 25672 - rabbitmq::port: {get_param: RpcPort} - rabbitmq::interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - rabbitmq::ssl: {get_param: EnableInternalTLS} - rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} - rabbitmq::ssl_port: {get_param: RpcPort} - rabbitmq::ssl_only: {get_param: EnableInternalTLS} - rabbitmq::ssl_interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} - - - if: - - internal_tls_enabled - - generate_service_certificates: true - tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - tripleo::profile::base::rabbitmq::certificate_specs: - service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - service_key: '/etc/pki/tls/private/rabbitmq.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - principal: - str_replace: - template: "rabbitmq/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" - - {} - step_config: | - include ::tripleo::profile::base::rabbitmq - upgrade_tasks: - - name: Stop rabbitmq service - when: step|int == 2 - service: name=rabbitmq-server state=stopped - - name: Start rabbitmq service - when: step|int == 4 - service: name=rabbitmq-server state=started - metadata_settings: - if: - - internal_tls_enabled - - - - service: rabbitmq - network: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} - type: node - - null diff --git a/puppet/services/pacemaker/rabbitmq.yaml b/puppet/services/pacemaker/rabbitmq.yaml deleted file mode 100644 index 54b1babf27..0000000000 --- a/puppet/services/pacemaker/rabbitmq.yaml +++ /dev/null @@ -1,58 +0,0 @@ -heat_template_version: rocky - -description: > - RabbitMQ service with Pacemaker configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - RabbitMQServiceBase: - type: ../rabbitmq.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the RabbitMQ pacemaker role. - value: - service_name: rabbitmq - monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} - config_settings: - map_merge: - - get_attr: [RabbitMQServiceBase, role_data, config_settings] - - rabbitmq::service_manage: false - step_config: | - include ::tripleo::profile::pacemaker::rabbitmq - metadata_settings: - get_attr: [RabbitMQServiceBase, role_data, metadata_settings] diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml deleted file mode 100644 index 69e2eb5c6a..0000000000 --- a/puppet/services/rabbitmq.yaml +++ /dev/null @@ -1,195 +0,0 @@ -heat_template_version: rocky - -description: > - RabbitMQ service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitFDLimit: - default: 65536 - description: Configures RabbitMQ FD limit - type: number - RabbitIPv6: - default: false - description: Enable IPv6 in RabbitMQ - type: boolean - RabbitCookie: - type: string - default: '' - hidden: true - RabbitHAQueues: - description: - The number of HA queues to be configured in rabbit. The default is -1 which - translates to "ha-mode all". The special value 0 will be automatically - overridden to CEIL(N/2) where N is the number of nodes running rabbitmq. - default: 0 - type: number - RabbitNetTickTime: - description: - The number of seconds to configure the value of the erlang - net_ticktime kernel variable. - default: 15 - type: number - RabbitAdditionalErlArgs: - description: - Additional parameters passed to the Erlang subsystem. The string - needs to be enclosed in quotes twice. We default to +sbwt none - in order to have the erlang vm be less busy on spinlocks, but - we allow a simple way of overriding it. - default: "'+sbwt none'" - type: string - MonitoringSubscriptionRabbitmq: - default: 'overcloud-rabbitmq' - type: string - EnableInternalTLS: - type: boolean - default: false - -conditions: - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - -outputs: - role_data: - description: Role data for the RabbitMQ role. - value: - service_name: rabbitmq - monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} - config_settings: - map_merge: - - - rabbitmq::file_limit: {get_param: RabbitFDLimit} - rabbitmq::default_user: {get_param: RabbitUserName} - rabbitmq::default_pass: {get_param: RabbitPassword} - rabbit_ipv6: {get_param: RabbitIPv6} - tripleo::rabbitmq::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 25672 - rabbitmq::delete_guest_user: false - rabbitmq::wipe_db_on_cookie_change: true - rabbitmq::port: 5672 - rabbitmq::package_provider: yum - rabbitmq::package_source: undef - rabbitmq::repos_ensure: false - rabbitmq::tcp_keepalive: true - rabbitmq_environment: - NODE_PORT: '' - NODE_IP_ADDRESS: '' - RABBITMQ_NODENAME: "rabbit@%{::hostname}" - RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true}]"' - RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: {get_param: RabbitAdditionalErlArgs} - 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}" - rabbitmq_kernel_variables: - inet_dist_listen_min: '25672' - inet_dist_listen_max: '25672' - net_ticktime: {get_param: RabbitNetTickTime} - rabbitmq_config_variables: - cluster_partition_handling: 'ignore' - queue_master_locator: '<<"min-masters">>' - loopback_users: '[]' - rabbitmq::erlang_cookie: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: RabbitCookie} - - {get_param: [DefaultPasswords, rabbit_cookie]} - # NOTE: bind IP is found in hiera replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - rabbitmq::interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} - rabbitmq::ssl: {get_param: EnableInternalTLS} - rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} - rabbitmq::ssl_port: 5672 - rabbitmq::ssl_depth: 1 - rabbitmq::ssl_only: {get_param: EnableInternalTLS} - rabbitmq::ssl_interface: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - # TODO(jaosorior): Remove this once we set a proper default in - # puppet-tripleo - tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} - - - if: - - internal_tls_enabled - - generate_service_certificates: true - tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - tripleo::profile::base::rabbitmq::certificate_specs: - service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' - service_key: '/etc/pki/tls/private/rabbitmq.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - principal: - str_replace: - template: "rabbitmq/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} - postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" - - {} - step_config: | - include ::tripleo::profile::base::rabbitmq - upgrade_tasks: - - name: Stop rabbitmq service - when: step|int == 2 - service: name=rabbitmq-server state=stopped - - name: Start rabbitmq service - when: step|int == 4 - service: name=rabbitmq-server state=started - metadata_settings: - if: - - internal_tls_enabled - - - - service: rabbitmq - network: {get_param: [ServiceNetMap, RabbitmqNetwork]} - type: node - - null diff --git a/sample-env-generator/messaging.yaml b/sample-env-generator/messaging.yaml index 6bd53cd835..dcdd405909 100644 --- a/sample-env-generator/messaging.yaml +++ b/sample-env-generator/messaging.yaml @@ -3,7 +3,7 @@ environments: name: messaging/rpc-rabbitmq-notify-rabbitmq-shared title: Share single rabbitmq backend for rpc and notify messaging backend files: - puppet/services/messaging/rpc-rabbitmq.yaml: + docker/services/messaging/rpc-rabbitmq.yaml: parameters: - RpcPort sample_value: @@ -21,7 +21,7 @@ environments: puppet/services/messaging/rpc-qdrouterd.yaml: parameters: - RpcPort - puppet/services/messaging/notify-rabbitmq.yaml: + docker/services/messaging/notify-rabbitmq.yaml: parameters: - NotifyPort sample_values: diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index e07e999b52..4f54d56f97 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -37,7 +37,7 @@ environments: puppet/services/nova-base.yaml: parameters: - RpcUseSSL - puppet/services/messaging/notify-rabbitmq.yaml: + docker/services/messaging/notify-rabbitmq.yaml: parameters: - NotifyUseSSL overcloud.yaml: diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 83f2149c68..9dee5f2bdd 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -235,9 +235,6 @@ VALIDATE_PUPPET_OVERRIDE = { # qdr aliases rabbitmq service to provide alternative messaging backend './puppet/services/qdr.yaml': False, # puppet/services/messaging/*.yaml provide oslo_messaging services - './puppet/services/messaging/notify-rabbitmq-shared.yaml': False, - './puppet/services/messaging/notify-rabbitmq.yaml': False, - './puppet/services/messaging/rpc-rabbitmq.yaml': False, './puppet/services/messaging/rpc-qdrouterd.yaml': False, }