openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Refactor nova db config 

It is best to avoid placing db creds on the compute nodes to limit the
exposure if an attacker succeeds in gaining access to the hypervisor
host.

Related patches in puppet-nova remove the credentials from nova.conf
however the current scope of db credential hieradata is all nova tripleo
services - so it will but written to the hieradata keys on compute
nodes.

This patch refactors the nova hieradata structure, splitting the
nova-api/nova database hieradata out into individual templates and
selectively including only where necessary, ensuring we have no db
creds on a compute node (unless it is an all-in-one api+compute node).

Conflicts:
	deployment/nova/nova-manager-container-puppet.yaml
        deployment/nova/nova-compute-common-container-puppet.yaml

Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
Closes-bug: #1871482
(cherry picked from commit 9d82364de8)
This commit is contained in:
Oliver Walsh 2020-04-08 21:04:49 +01:00 committed by David Vallee Delisle
parent e4a028afc7
commit a2a6ddab59
13 changed files with 449 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
deployment/nova/nova-api-container-puppet.yaml
View File

@ -160,6 +160,27 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova API role.
@ -188,6 +209,8 @@ outputs:
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [NovaApiDBClient, role_data, config_settings]
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [NovaApiLogging, config_settings]
- apache::default_vhost: false
nova::keystone::authtoken::project_name: 'service'
@ -240,19 +263,14 @@ outputs:
nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_api:
- {get_param: NovaApiLoggingSource}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
- nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova

78
deployment/nova/nova-apidb-client-puppet.yaml Normal file
View File

@ -0,0 +1,78 @@
heat_template_version: rocky
description: >
OpenStack Nova database client service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
conditions:
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
outputs:
role_data:
description: Role data for the Nova base service.
value:
config_settings:
nova::api_database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: nova_api
password: {get_param: NovaPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /nova_api
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: nova_api
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
mysql:
nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

72
deployment/nova/nova-base-puppet.yaml
View File

@ -63,10 +63,6 @@ parameters:
default: 'br-int'
description: Name of integration bridge used by Open vSwitch
type: string
DatabaseSyncTimeout:
default: 300
description: DB Sync Timeout default
type: number
Debug:
type: boolean
default: false
@ -298,66 +294,6 @@ outputs:
nova::placement::region_name: {get_param: KeystoneRegion}
nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
nova::os_region_name: {get_param: KeystoneRegion}
nova::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
username: nova
password: {get_param: NovaPassword}
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
path: /nova
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: nova
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
nova::cell0_database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: nova
password: {get_param: NovaPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /nova_cell0
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: nova_cell0
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
nova::api_database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: nova_api
password: {get_param: NovaPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /nova_api
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: nova_api
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
nova::logging::debug:
if:
- service_debug_unset
@ -379,8 +315,6 @@ outputs:
nova::network::neutron::auth_type: 'v3password'
nova::db::database_db_max_retries: -1
nova::db::database_max_retries: -1
nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout}
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
@ -424,9 +358,5 @@ outputs:
- {}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
service_config_settings:
mysql:
# NOTE(aschultz): this should be configurable if/when we support more
# complex cell v2 configurations. For now, this is the default cell
# created for the cell v2 configuration
nova::db::mysql_api::setup_cell0: true
rabbitmq:
nova::rabbit_use_ssl: {get_param: RpcUseSSL}

22
deployment/nova/nova-compute-common-container-puppet.yaml
View File

@ -61,19 +61,27 @@ outputs:
- not nova_additional_cell|bool
- nova_cellv2_discovery_done is not defined
block:
- name: discover via nova_compute?
- name: discover via nova_manager?
set_fact:
nova_cellv2_discovery_delegate_host: "{{ groups['nova_compute'][0] }}"
nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}"
nova_cellv2_discovery_container: nova_manager
when:
- groups['nova_compute'] is defined and (groups['nova_compute']|length>0)
- name: discover via nova_ironic?
- groups['nova_manager'] is defined and (groups['nova_manager']|length>0)
- name: discover via nova_api?
set_fact:
nova_cellv2_discovery_delegate_host: "{{ groups['nova_ironic'][0] }}"
nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}"
nova_cellv2_discovery_container: nova_api
when:
- nova_cellv2_discovery_delegate_host is not defined
- groups['nova_api'] is defined and (groups['nova_api']|length>0)
- name: Warn if no discovery host available
fail:
msg: 'No hosts available to run nova cell_v2 host discovery.'
ignore_errors: yes
when:
- nova_cellv2_discovery_delegate_host is not defined
- groups['nova_ironic'] is defined and (groups['nova_ironic']|length>0)
- name: Discovering nova hosts
command: "{{ container_cli }} exec nova_compute nova-manage cell_v2 discover_hosts --by-service"
command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service"
become: true
changed_when: false
delegate_to: '{{ nova_cellv2_discovery_delegate_host }}'

19
deployment/nova/nova-compute-container-puppet.yaml
View File

@ -538,16 +538,13 @@ resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaComputeCommon:
type: ./nova-compute-common-container-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
@ -851,14 +848,11 @@ outputs:
puppet_config:
config_volume: nova_libvirt
puppet_tags: nova_config,nova_paste_api_ini
step_config:
list_join:
- "\n"
- - # TODO(emilien): figure how to deal with libvirt profile.
# We'll probably treat it like we do with Neutron plugins.
# Until then, just include it in the default nova-compute role.
include tripleo::profile::base::nova::compute::libvirt
- {get_attr: [MySQLClient, role_data, step_config]}
step_config: |
# TODO(emilien): figure how to deal with libvirt profile.
# We'll probably treat it like we do with Neutron plugins.
# Until then, just include it in the default nova-compute role.
include tripleo::profile::base::nova::compute::libvirt
config_image: {get_param: ContainerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_compute.json:
@ -984,7 +978,6 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
- /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/container-config-scripts/:/container-config-scripts/

60
deployment/nova/nova-conductor-container-puppet.yaml
View File

@ -58,9 +58,14 @@ parameters:
description: The password for the nova service and db account
type: string
hidden: true
NovaAdditionalCell:
default: false
description: Whether this is an cell additional to the default cell.
type: boolean
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
is_not_additional_cell: {equals: [{get_param: NovaAdditionalCell}, false]}
resources:
@ -86,6 +91,27 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Conductor service.
@ -94,27 +120,28 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor}
config_settings:
map_merge:
- {get_attr: [NovaBase, role_data, config_settings]}
- {get_attr: [NovaLogging, config_settings]}
- get_attr: [NovaBase, role_data, config_settings]
# FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
# however cell conductor currently requires api db access for affinity checks
- get_attr: [NovaApiDBClient, role_data, config_settings]
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [NovaLogging, config_settings]
-
if:
- nova_workers_zero
- {}
- nova::conductor::workers: {get_param: NovaWorkers}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
# FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
# however cell conductor currently requires api db access for affinity checks
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_conductor:
- {get_param: NovaConductorLoggingSource}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
- nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova
@ -158,7 +185,14 @@ outputs:
- /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
user: root
command: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'"
command:
str_replace:
template: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync DB_SYNC_ARGS'"
params:
if:
- is_not_additional_cell
- DB_SYNC_ARGS: ""
- DB_SYNC_ARGS: "--local_cell"
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:

80
deployment/nova/nova-db-client-puppet.yaml Normal file
View File

@ -0,0 +1,80 @@
heat_template_version: rocky
description: >
OpenStack Nova database client service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
conditions:
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
outputs:
role_data:
description: Role data for the Nova base service.
value:
config_settings:
nova::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
username: nova
password: {get_param: NovaPassword}
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
path: /nova
query:
if:
- enable_sqlalchemy_collectd
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: nova
collectd_host: localhost
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
service_config_settings:
mysql:
nova::db::mysql::password: {get_param: NovaPassword}
nova::db::mysql::user: nova
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
nova::db::mysql::dbname: nova
nova::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"

13
deployment/nova/nova-ironic-container-puppet.yaml
View File

@ -83,16 +83,13 @@ resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaComputeCommon:
type: ./nova-compute-common-container-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
@ -106,6 +103,7 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Compute service.
@ -131,11 +129,8 @@ outputs:
puppet_config:
config_volume: nova
puppet_tags: nova_config,nova_paste_api_ini
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::nova::compute::ironic
- {get_attr: [MySQLClient, role_data, step_config]}
step_config: |
include tripleo::profile::base::nova::compute::ironic
config_image: {get_param: ContainerNovaConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_ironic.json:

11
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -346,9 +346,6 @@ resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaLibvirtLogging:
type: OS::TripleO::Services::Logging::NovaLibvirt
@ -362,6 +359,7 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Libvirt service.
@ -564,11 +562,8 @@ outputs:
puppet_config:
config_volume: nova_libvirt
puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::nova::libvirt
- {get_attr: [MySQLClient, role_data, step_config]}
step_config: |
include tripleo::profile::base::nova::libvirt
config_image: {get_param: ContainerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_libvirt.json:

105
deployment/nova/nova-manager-container-puppet.yaml Normal file
View File

@ -0,0 +1,105 @@
heat_template_version: rocky
description: >
OpenStack containerized nova-manage runner service
parameters:
ContainerNovaConductorImage:
description: image
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
resources:
# Cannot control nova-manage logging so expect it to log to file
NovaLogging:
type: ../logging/files/nova-common.yaml
properties:
ContainerNovaImage: &nova_conductor_image {get_param: ContainerNovaConductorImage}
NovaServiceName: 'manager'
ContainersCommon:
type: ../containers-common.yaml
NovaConductorBase:
type: ./nova-conductor-container-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the nova-manage runner service.
value:
service_name: nova_manager
config_settings:
get_attr: [NovaConductorBase, role_data, config_settings]
service_config_settings:
mysql:
get_attr: [NovaConductorBase, role_data, service_config_settings, mysql]
# BEGIN DOCKER SETTINGS
puppet_config:
get_attr: [NovaConductorBase, role_data, puppet_config]
kolla_config:
/var/lib/kolla/config_files/nova_manager.json:
command: "/bin/sleep infinity"
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
docker_config:
step_2:
get_attr: [NovaLogging, docker_config, step_2]
step_4:
nova_manager:
image: *nova_conductor_image
net: host
privileged: false
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLogging, volumes]}
-
- /var/lib/kolla/config_files/nova_manager.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
get_attr: [NovaLogging, host_prep_tasks]

45
deployment/nova/nova-metadata-container-puppet.yaml
View File

@ -81,6 +81,7 @@ conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
is_not_cell_local: {equals: [{get_param: NovaLocalMetadataPerCell}, false]}
resources:
@ -114,6 +115,27 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Metadata service.
@ -128,6 +150,11 @@ outputs:
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- if:
- is_not_cell_local
- get_attr: [NovaApiDBClient, role_data, config_settings]
- {}
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
@ -168,19 +195,17 @@ outputs:
- nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- if:
- is_not_cell_local
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- {}
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
mysql:
map_merge:
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
- nova::db::mysql_api::password: {get_param: NovaPassword}
nova::db::mysql_api::user: nova_api
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
nova::db::mysql_api::dbname: nova_api
nova::db::mysql_api::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova_metadata

31
deployment/nova/nova-scheduler-container-puppet.yaml
View File

@ -142,6 +142,26 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
@ -151,8 +171,10 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler}
config_settings:
map_merge:
- {get_attr: [NovaBase, role_data, config_settings]}
- {get_attr: [NovaLogging, config_settings]}
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [NovaApiDBClient, role_data, config_settings]
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [NovaLogging, config_settings]
- nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters}
nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters}
nova::scheduler::filter::scheduler_max_attempts: {get_param: NovaSchedulerMaxAttempts}
@ -168,6 +190,11 @@ outputs:
- {}
- nova::scheduler::workers: {get_param: NovaSchedulerWorkers}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_scheduler:
- {get_param: NovaSchedulerLoggingSource}

19
deployment/nova/nova-vnc-proxy-container-puppet.yaml
View File

@ -138,6 +138,17 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Vncproxy service.
@ -150,7 +161,9 @@ outputs:
- 13080
config_settings:
map_merge:
- {get_attr: [NovaLogging, config_settings]}
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [NovaLogging, config_settings]
- nova::vncproxy::enabled: true
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyCellPublic, protocol]}
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyCellPublic, host_nobrackets]}
@ -226,6 +239,10 @@ outputs:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
- {}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_vnc_proxy:
- {get_param: NovaVncproxyLoggingSource}