Refactor nova db config
It is best to avoid placing db creds on the compute nodes to limit the exposure if an attacker succeeds in gaining access to the hypervisor host. Related patches in puppet-nova remove the credentials from nova.conf however the current scope of db credential hieradata is all nova tripleo services - so it will but written to the hieradata keys on compute nodes. This patch refactors the nova hieradata structure, splitting the nova-api/nova database hieradata out into individual templates and selectively including only where necessary, ensuring we have no db creds on a compute node (unless it is an all-in-one api+compute node). Conflicts: deployment/nova/nova-manager-container-puppet.yaml deployment/nova/nova-compute-common-container-puppet.yaml Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a Closes-bug: #1871482 (cherry picked from commit9d82364de8
) (cherry picked from commita2a6ddab59
)
This commit is contained in:
parent
43c02ebc95
commit
ace7eb7d6f
@ -165,6 +165,27 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaApiDBClient:
|
||||
type: ./nova-apidb-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaDBClient:
|
||||
type: ./nova-db-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova API role.
|
||||
@ -193,6 +214,8 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
- get_attr: [NovaApiDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaApiLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
nova::keystone::authtoken::project_name: 'service'
|
||||
@ -250,19 +273,14 @@ outputs:
|
||||
- {}
|
||||
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
mysql:
|
||||
map_merge:
|
||||
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
||||
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
||||
rsyslog:
|
||||
tripleo_logging_sources_nova_api:
|
||||
- {get_param: NovaApiLoggingSource}
|
||||
mysql:
|
||||
map_merge:
|
||||
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
|
||||
- nova::db::mysql_api::password: {get_param: NovaPassword}
|
||||
nova::db::mysql_api::user: nova_api
|
||||
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
||||
nova::db::mysql_api::dbname: nova_api
|
||||
nova::db::mysql_api::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: nova
|
||||
|
78
deployment/nova/nova-apidb-client-puppet.yaml
Normal file
78
deployment/nova/nova-apidb-client-puppet.yaml
Normal file
@ -0,0 +1,78 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
OpenStack Nova database client service.
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
NovaPassword:
|
||||
description: The password for the nova service and db account
|
||||
type: string
|
||||
hidden: true
|
||||
EnableSQLAlchemyCollectd:
|
||||
type: boolean
|
||||
description: >
|
||||
Set to true to enable the SQLAlchemy-collectd server plugin
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova base service.
|
||||
value:
|
||||
config_settings:
|
||||
nova::api_database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
||||
username: nova_api
|
||||
password: {get_param: NovaPassword}
|
||||
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
path: /nova_api
|
||||
query:
|
||||
if:
|
||||
- enable_sqlalchemy_collectd
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
plugin: collectd
|
||||
collectd_program_name: nova_api
|
||||
collectd_host: localhost
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
service_config_settings:
|
||||
mysql:
|
||||
nova::db::mysql_api::password: {get_param: NovaPassword}
|
||||
nova::db::mysql_api::user: nova_api
|
||||
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
||||
nova::db::mysql_api::dbname: nova_api
|
||||
nova::db::mysql_api::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
@ -63,10 +63,6 @@ parameters:
|
||||
default: 'br-int'
|
||||
description: Name of integration bridge used by Open vSwitch
|
||||
type: string
|
||||
DatabaseSyncTimeout:
|
||||
default: 300
|
||||
description: DB Sync Timeout default
|
||||
type: number
|
||||
Debug:
|
||||
type: boolean
|
||||
default: false
|
||||
@ -298,66 +294,6 @@ outputs:
|
||||
nova::placement::region_name: {get_param: KeystoneRegion}
|
||||
nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
|
||||
nova::os_region_name: {get_param: KeystoneRegion}
|
||||
nova::database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
|
||||
username: nova
|
||||
password: {get_param: NovaPassword}
|
||||
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
|
||||
path: /nova
|
||||
query:
|
||||
if:
|
||||
- enable_sqlalchemy_collectd
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
plugin: collectd
|
||||
collectd_program_name: nova
|
||||
collectd_host: localhost
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
|
||||
nova::cell0_database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
||||
username: nova
|
||||
password: {get_param: NovaPassword}
|
||||
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
path: /nova_cell0
|
||||
query:
|
||||
if:
|
||||
- enable_sqlalchemy_collectd
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
plugin: collectd
|
||||
collectd_program_name: nova_cell0
|
||||
collectd_host: localhost
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
|
||||
nova::api_database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
||||
username: nova_api
|
||||
password: {get_param: NovaPassword}
|
||||
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
path: /nova_api
|
||||
query:
|
||||
if:
|
||||
- enable_sqlalchemy_collectd
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
plugin: collectd
|
||||
collectd_program_name: nova_api
|
||||
collectd_host: localhost
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
|
||||
nova::logging::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
@ -379,8 +315,6 @@ outputs:
|
||||
nova::network::neutron::auth_type: 'v3password'
|
||||
nova::db::database_db_max_retries: -1
|
||||
nova::db::database_max_retries: -1
|
||||
nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
|
||||
nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout}
|
||||
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
||||
nova::cache::enabled: true
|
||||
nova::cache::backend: 'dogpile.cache.memcached'
|
||||
@ -424,9 +358,5 @@ outputs:
|
||||
- {}
|
||||
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
||||
service_config_settings:
|
||||
mysql:
|
||||
# NOTE(aschultz): this should be configurable if/when we support more
|
||||
# complex cell v2 configurations. For now, this is the default cell
|
||||
# created for the cell v2 configuration
|
||||
nova::db::mysql_api::setup_cell0: true
|
||||
rabbitmq:
|
||||
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
|
||||
|
@ -61,19 +61,27 @@ outputs:
|
||||
- not nova_additional_cell|bool
|
||||
- nova_cellv2_discovery_done is not defined
|
||||
block:
|
||||
- name: discover via nova_compute?
|
||||
- name: discover via nova_manager?
|
||||
set_fact:
|
||||
nova_cellv2_discovery_delegate_host: "{{ groups['nova_compute'][0] }}"
|
||||
nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}"
|
||||
nova_cellv2_discovery_container: nova_manager
|
||||
when:
|
||||
- groups['nova_compute'] is defined and (groups['nova_compute']|length>0)
|
||||
- name: discover via nova_ironic?
|
||||
- groups['nova_manager'] is defined and (groups['nova_manager']|length>0)
|
||||
- name: discover via nova_api?
|
||||
set_fact:
|
||||
nova_cellv2_discovery_delegate_host: "{{ groups['nova_ironic'][0] }}"
|
||||
nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}"
|
||||
nova_cellv2_discovery_container: nova_api
|
||||
when:
|
||||
- nova_cellv2_discovery_delegate_host is not defined
|
||||
- groups['nova_api'] is defined and (groups['nova_api']|length>0)
|
||||
- name: Warn if no discovery host available
|
||||
fail:
|
||||
msg: 'No hosts available to run nova cell_v2 host discovery.'
|
||||
ignore_errors: yes
|
||||
when:
|
||||
- nova_cellv2_discovery_delegate_host is not defined
|
||||
- groups['nova_ironic'] is defined and (groups['nova_ironic']|length>0)
|
||||
- name: Discovering nova hosts
|
||||
command: "{{ container_cli }} exec nova_compute nova-manage cell_v2 discover_hosts --by-service"
|
||||
command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service"
|
||||
become: true
|
||||
changed_when: false
|
||||
delegate_to: '{{ nova_cellv2_discovery_delegate_host }}'
|
||||
|
@ -557,16 +557,13 @@ resources:
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
MySQLClient:
|
||||
type: ../../deployment/database/mysql-client.yaml
|
||||
|
||||
NovaComputeCommon:
|
||||
type: ./nova-compute-common-container-puppet.yaml
|
||||
properties:
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
@ -912,14 +909,11 @@ outputs:
|
||||
puppet_config:
|
||||
config_volume: nova_libvirt
|
||||
puppet_tags: nova_config,nova_paste_api_ini
|
||||
step_config:
|
||||
list_join:
|
||||
- "\n"
|
||||
- - # TODO(emilien): figure how to deal with libvirt profile.
|
||||
step_config: |
|
||||
# TODO(emilien): figure how to deal with libvirt profile.
|
||||
# We'll probably treat it like we do with Neutron plugins.
|
||||
# Until then, just include it in the default nova-compute role.
|
||||
include tripleo::profile::base::nova::compute::libvirt
|
||||
- {get_attr: [MySQLClient, role_data, step_config]}
|
||||
config_image: {get_param: ContainerNovaLibvirtConfigImage}
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/nova_compute.json:
|
||||
@ -1045,7 +1039,6 @@ outputs:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
-
|
||||
- /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
|
||||
- /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
|
||||
- /var/log/containers/nova:/var/log/nova
|
||||
- /var/lib/container-config-scripts/:/container-config-scripts/
|
||||
|
@ -58,9 +58,14 @@ parameters:
|
||||
description: The password for the nova service and db account
|
||||
type: string
|
||||
hidden: true
|
||||
NovaAdditionalCell:
|
||||
default: false
|
||||
description: Whether this is an cell additional to the default cell.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
|
||||
is_not_additional_cell: {equals: [{get_param: NovaAdditionalCell}, false]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -86,6 +91,27 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaApiDBClient:
|
||||
type: ./nova-apidb-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaDBClient:
|
||||
type: ./nova-db-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova Conductor service.
|
||||
@ -94,27 +120,28 @@ outputs:
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [NovaBase, role_data, config_settings]}
|
||||
- {get_attr: [NovaLogging, config_settings]}
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
# FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
|
||||
# however cell conductor currently requires api db access for affinity checks
|
||||
- get_attr: [NovaApiDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaLogging, config_settings]
|
||||
-
|
||||
if:
|
||||
- nova_workers_zero
|
||||
- {}
|
||||
- nova::conductor::workers: {get_param: NovaWorkers}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
mysql:
|
||||
map_merge:
|
||||
# FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell
|
||||
# however cell conductor currently requires api db access for affinity checks
|
||||
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
||||
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
||||
rsyslog:
|
||||
tripleo_logging_sources_nova_conductor:
|
||||
- {get_param: NovaConductorLoggingSource}
|
||||
mysql:
|
||||
map_merge:
|
||||
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
|
||||
- nova::db::mysql::password: {get_param: NovaPassword}
|
||||
nova::db::mysql::user: nova
|
||||
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
|
||||
nova::db::mysql::dbname: nova
|
||||
nova::db::mysql::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: nova
|
||||
@ -158,7 +185,14 @@ outputs:
|
||||
- /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
|
||||
- /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
|
||||
user: root
|
||||
command: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'"
|
||||
command:
|
||||
str_replace:
|
||||
template: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync DB_SYNC_ARGS'"
|
||||
params:
|
||||
if:
|
||||
- is_not_additional_cell
|
||||
- DB_SYNC_ARGS: ""
|
||||
- DB_SYNC_ARGS: "--local_cell"
|
||||
environment:
|
||||
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
||||
step_4:
|
||||
|
80
deployment/nova/nova-db-client-puppet.yaml
Normal file
80
deployment/nova/nova-db-client-puppet.yaml
Normal file
@ -0,0 +1,80 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
OpenStack Nova database client service.
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
NovaPassword:
|
||||
description: The password for the nova service and db account
|
||||
type: string
|
||||
hidden: true
|
||||
EnableSQLAlchemyCollectd:
|
||||
type: boolean
|
||||
description: >
|
||||
Set to true to enable the SQLAlchemy-collectd server plugin
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova base service.
|
||||
value:
|
||||
config_settings:
|
||||
nova::database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]}
|
||||
username: nova
|
||||
password: {get_param: NovaPassword}
|
||||
host: {get_param: [EndpointMap, MysqlCellInternal, host]}
|
||||
path: /nova
|
||||
query:
|
||||
if:
|
||||
- enable_sqlalchemy_collectd
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
plugin: collectd
|
||||
collectd_program_name: nova
|
||||
collectd_host: localhost
|
||||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
service_config_settings:
|
||||
mysql:
|
||||
nova::db::mysql::password: {get_param: NovaPassword}
|
||||
nova::db::mysql::user: nova
|
||||
nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]}
|
||||
nova::db::mysql::dbname: nova
|
||||
nova::db::mysql::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
|
||||
|
@ -75,16 +75,13 @@ resources:
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
MySQLClient:
|
||||
type: ../../deployment/database/mysql-client.yaml
|
||||
|
||||
NovaComputeCommon:
|
||||
type: ./nova-compute-common-container-puppet.yaml
|
||||
properties:
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
@ -98,6 +95,7 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova Compute service.
|
||||
@ -122,11 +120,8 @@ outputs:
|
||||
puppet_config:
|
||||
config_volume: nova
|
||||
puppet_tags: nova_config,nova_paste_api_ini
|
||||
step_config:
|
||||
list_join:
|
||||
- "\n"
|
||||
- - include tripleo::profile::base::nova::compute::ironic
|
||||
- {get_attr: [MySQLClient, role_data, step_config]}
|
||||
step_config: |
|
||||
include tripleo::profile::base::nova::compute::ironic
|
||||
config_image: {get_param: ContainerNovaConfigImage}
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/nova_ironic.json:
|
||||
|
@ -376,9 +376,6 @@ resources:
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
MySQLClient:
|
||||
type: ../../deployment/database/mysql-client.yaml
|
||||
|
||||
NovaLibvirtLogging:
|
||||
type: OS::TripleO::Services::Logging::NovaLibvirt
|
||||
|
||||
@ -392,6 +389,7 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Libvirt service.
|
||||
@ -614,11 +612,8 @@ outputs:
|
||||
puppet_config:
|
||||
config_volume: nova_libvirt
|
||||
puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password
|
||||
step_config:
|
||||
list_join:
|
||||
- "\n"
|
||||
- - include tripleo::profile::base::nova::libvirt
|
||||
- {get_attr: [MySQLClient, role_data, step_config]}
|
||||
step_config: |
|
||||
include tripleo::profile::base::nova::libvirt
|
||||
config_image: {get_param: ContainerNovaLibvirtConfigImage}
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/nova_libvirt.json:
|
||||
|
105
deployment/nova/nova-manager-container-puppet.yaml
Normal file
105
deployment/nova/nova-manager-container-puppet.yaml
Normal file
@ -0,0 +1,105 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
OpenStack containerized nova-manage runner service
|
||||
|
||||
parameters:
|
||||
ContainerNovaConductorImage:
|
||||
description: image
|
||||
type: string
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
|
||||
|
||||
resources:
|
||||
|
||||
# Cannot control nova-manage logging so expect it to log to file
|
||||
NovaLogging:
|
||||
type: ../logging/files/nova-common.yaml
|
||||
properties:
|
||||
ContainerNovaImage: &nova_conductor_image {get_param: ContainerNovaConductorImage}
|
||||
NovaServiceName: 'manager'
|
||||
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
NovaConductorBase:
|
||||
type: ./nova-conductor-container-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the nova-manage runner service.
|
||||
value:
|
||||
service_name: nova_manager
|
||||
config_settings:
|
||||
get_attr: [NovaConductorBase, role_data, config_settings]
|
||||
service_config_settings:
|
||||
mysql:
|
||||
get_attr: [NovaConductorBase, role_data, service_config_settings, mysql]
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
get_attr: [NovaConductorBase, role_data, puppet_config]
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/nova_manager.json:
|
||||
command: "/bin/sleep infinity"
|
||||
config_files:
|
||||
- source: "/var/lib/kolla/config_files/src/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
permissions:
|
||||
- path: /var/log/nova
|
||||
owner: nova:nova
|
||||
recurse: true
|
||||
docker_config:
|
||||
step_2:
|
||||
get_attr: [NovaLogging, docker_config, step_2]
|
||||
step_4:
|
||||
nova_manager:
|
||||
image: *nova_conductor_image
|
||||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [NovaLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/nova_manager.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
host_prep_tasks:
|
||||
get_attr: [NovaLogging, host_prep_tasks]
|
@ -81,6 +81,7 @@ conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
|
||||
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
|
||||
is_not_cell_local: {equals: [{get_param: NovaLocalMetadataPerCell}, false]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -114,6 +115,27 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaApiDBClient:
|
||||
type: ./nova-apidb-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaDBClient:
|
||||
type: ./nova-db-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova Metadata service.
|
||||
@ -128,6 +150,11 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
- if:
|
||||
- is_not_cell_local
|
||||
- get_attr: [NovaApiDBClient, role_data, config_settings]
|
||||
- {}
|
||||
- get_attr: [NovaDBClient, role_data, config_settings]
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
- get_attr: [NovaMetadataLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
@ -167,19 +194,17 @@ outputs:
|
||||
- nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
mysql:
|
||||
map_merge:
|
||||
- if:
|
||||
- is_not_cell_local
|
||||
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
||||
- {}
|
||||
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
||||
rsyslog:
|
||||
tripleo_logging_sources_nova_metadata:
|
||||
- {get_param: NovaMetadataLoggingSource}
|
||||
mysql:
|
||||
map_merge:
|
||||
- {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
|
||||
- nova::db::mysql_api::password: {get_param: NovaPassword}
|
||||
nova::db::mysql_api::user: nova_api
|
||||
nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
||||
nova::db::mysql_api::dbname: nova_api
|
||||
nova::db::mysql_api::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: nova_metadata
|
||||
|
@ -142,6 +142,26 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaApiDBClient:
|
||||
type: ./nova-apidb-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaDBClient:
|
||||
type: ./nova-db-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -151,8 +171,10 @@ outputs:
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [NovaBase, role_data, config_settings]}
|
||||
- {get_attr: [NovaLogging, config_settings]}
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
- get_attr: [NovaApiDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaLogging, config_settings]
|
||||
- nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters}
|
||||
nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters}
|
||||
nova::scheduler::filter::scheduler_max_attempts: {get_param: NovaSchedulerMaxAttempts}
|
||||
@ -168,6 +190,11 @@ outputs:
|
||||
- {}
|
||||
- nova::scheduler::workers: {get_param: NovaSchedulerWorkers}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
mysql:
|
||||
map_merge:
|
||||
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
||||
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
||||
rsyslog:
|
||||
tripleo_logging_sources_nova_scheduler:
|
||||
- {get_param: NovaSchedulerLoggingSource}
|
||||
|
@ -155,6 +155,17 @@ resources:
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
NovaDBClient:
|
||||
type: ./nova-db-client-puppet.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Nova Vncproxy service.
|
||||
@ -167,7 +178,9 @@ outputs:
|
||||
- 13080
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [NovaLogging, config_settings]}
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
- get_attr: [NovaDBClient, role_data, config_settings]
|
||||
- get_attr: [NovaLogging, config_settings]
|
||||
- nova::vncproxy::enabled: true
|
||||
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyCellPublic, protocol]}
|
||||
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyCellPublic, host_nobrackets]}
|
||||
@ -249,6 +262,10 @@ outputs:
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
mysql:
|
||||
map_merge:
|
||||
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
||||
rsyslog:
|
||||
tripleo_logging_sources_nova_vnc_proxy:
|
||||
- {get_param: NovaVncproxyLoggingSource}
|
||||
|
Loading…
Reference in New Issue
Block a user