Template and role support for the undercloud

Add a new roles data YAML file and environment to help
create the undercloud via t-h-t.

Partially-implements: blueprint heat-undercloud

Change-Id: I36df7fa86c2ff40026d59f02248af529a4a81861

environments/undercloud.yaml

@@ -0,0 +1,18 @@
+resource_registry:
+  OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/noop.yaml
+  OS::TripleO::Network::Ports::ControlPlaneVipPort: ../deployed-server/deployed-neutron-port.yaml
+  OS::TripleO::Undercloud::Net::SoftwareConfig: ../net-config-undercloud.yaml
+  OS::TripleO::NodeExtraConfigPost: ../extraconfig/post_deploy/undercloud_post.yaml
+
+parameter_defaults:
+  StackAction: CREATE
+  SoftwareConfigTransport: POLL_SERVER_HEAT
+  NeutronTunnelTypes: []
+  NeutronBridgeMappings: ctlplane:br-ctlplane
+  NeutronAgentExtensions: []
+  NeutronFlatNetworks: '*'
+  NovaSchedulerAvailableFilters: 'tripleo_common.filters.list.tripleo_filters'
+  NovaSchedulerDefaultFilters: ['RetryFilter', 'TripleOCapabilitiesFilter', 'ComputeCapabilitiesFilter', 'AvailabilityZoneFilter', 'RamFilter', 'DiskFilter', 'ComputeFilter', 'ImagePropertiesFilter', 'ServerGroupAntiAffinityFilter', 'ServerGroupAffinityFilter']
+  NeutronDhcpAgentsPerNetwork: 2
+  HeatConvergenceEngine: false
+  HeatMaxResourcesPerStack: -1

extraconfig/post_deploy/undercloud_post.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+set -eux
+
+ln -sf /etc/puppet/hiera.yaml /etc/hiera.yaml
+
+
+# WRITE OUT STACKRC
+if [ ! -e /root/stackrc ]; then
+    touch /root/stackrc
+    chmod 0600 /root/stackrc
+
+cat >> /root/stackrc <<-EOF_CAT
+export OS_PASSWORD=$admin_password
+export OS_AUTH_URL=$auth_url
+export OS_USERNAME=admin
+export OS_TENANT_NAME=admin
+export COMPUTE_API_VERSION=1.1
+export NOVA_VERSION=1.1
+export OS_BAREMETAL_API_VERSION=1.15
+export OS_NO_CACHE=True
+export OS_CLOUDNAME=undercloud
+EOF_CAT
+
+    if [ -n "$ssl_certificate" ]; then
+cat >> /root/stackrc <<-EOF_CAT
+export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
+EOF_CAT
+    fi
+fi
+
+source /root/stackrc
+
+if [ ! -f /root/.ssh/authorized_keys ]; then
+    sudo mkdir -p /root/.ssh
+    sudo chmod 7000 /root/.ssh/
+    sudo touch /root/.ssh/authorized_keys
+    sudo chmod 600 /root/.ssh/authorized_keys
+fi
+
+if [ ! -f /root/.ssh/id_rsa ]; then
+    ssh-keygen -b 1024 -N '' -f /root/.ssh/id_rsa
+fi
+
+if ! grep "$(cat /root/.ssh/id_rsa.pub)" /root/.ssh/authorized_keys; then
+    cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
+fi
+
+PHYSICAL_NETWORK=ctlplane
+
+ctlplane_id=$(openstack network list -f csv -c ID -c Name --quote none | tail -n +2 | grep ctlplane | cut -d, -f1)
+subnet_ids=$(openstack subnet list -f csv -c ID --quote none | tail -n +2)
+subnet_id=
+
+for subnet_id in $subnet_ids; do
+    network_id=$(openstack subnet show -f value -c network_id $subnet_id)
+    if [ "$network_id" = "$ctlplane_id" ]; then
+        break
+    fi
+done
+
+net_create=1
+if [ -n "$subnet_id" ]; then
+    cidr=$(openstack subnet show $subnet_id -f value -c cidr)
+    if [ "$cidr" = "$undercloud_network_cidr" ]; then
+        net_create=0
+    else
+        echo "New cidr $undercloud_network_cidr does not equal old cidr $cidr"
+        echo "Will attempt to delete and recreate subnet $subnet_id"
+    fi
+fi
+
+if [ "$net_create" -eq "1" ]; then
+    # Delete the subnet and network to make sure it doesn't already exist
+    if openstack subnet list | grep start; then
+        openstack subnet delete $(openstack subnet list | grep start | awk '{print $4}')
+    fi
+    if openstack network show ctlplane; then
+        openstack network delete ctlplane
+    fi
+
+
+    NETWORK_ID=$(openstack network create --provider-network-type=flat --provider-physical-network=ctlplane ctlplane | grep " id " | awk '{print $4}')
+
+    NAMESERVER_ARG=""
+    if [ -n "${undercloud_nameserver:-}" ]; then
+        NAMESERVER_ARG="--dns-nameserver $undercloud_nameserver"
+    fi
+
+    openstack subnet create --network=$NETWORK_ID \
+        --gateway=$undercloud_network_gateway \
+        --subnet-range=$undercloud_network_cidr \
+        --allocation-pool start=$undercloud_dhcp_start,end=$undercloud_dhcp_end \
+        --host-route destination=169.254.169.254/32,gateway=$local_ip \
+        $NAMESERVER_ARG ctlplane
+fi
+
+# Disable nova quotas
+openstack quota set --cores -1 --instances -1 --ram -1 $(openstack project show admin | awk '$2=="id" {print $4}')
+
+# MISTRAL WORKFLOW CONFIGURATION
+if [ "$(hiera mistral_api_enabled)" = "true" ]; then
+    # load workflows
+    for workbook in $(openstack workbook list | grep tripleo | cut -f 2 -d ' '); do
+        openstack workbook delete $workbook
+    done
+    for workflow in $(openstack workflow list | grep tripleo | cut -f 2 -d ' '); do
+        openstack workflow delete $workflow
+    done
+    for workbook in $(ls /usr/share/openstack-tripleo-common/workbooks/*); do
+        openstack workbook create $workbook
+    done
+
+  # Store the SNMP password in a mistral environment
+  if ! openstack workflow env show tripleo.undercloud-config &>/dev/null; then
+      TMP_MISTRAL_ENV=$(mktemp)
+      echo "{\"name\": \"tripleo.undercloud-config\", \"variables\": {\"undercloud_ceilometer_snmpd_password\": \"$snmp_readonly_user_password\"}}" > $TMP_MISTRAL_ENV
+      openstack workflow env create $TMP_MISTRAL_ENV
+   fi
+
+fi
+
+# IP forwarding is needed to allow the overcloud nodes access to the outside
+# internet in cases where they are on an isolated network.
+sysctl -w net.ipv4.ip_forward=1
+# Make it persistent
+echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip-forward.conf

extraconfig/post_deploy/undercloud_post.yaml

@@ -0,0 +1,93 @@
+heat_template_version: ocata
+
+description: >
+  Post-deployment for the TripleO undercloud
+
+parameters:
+  servers:
+    type: json
+  DeployedServerPortMap:
+    default: {}
+    type: json
+  UndercloudDhcpRangeStart:
+    type: string
+    default: '192.168.24.5'
+  UndercloudDhcpRangeEnd:
+    type: string
+    default: '192.168.24.24'
+  UndercloudNetworkCidr:
+    type: string
+    default: '192.168.24.0/24'
+  UndercloudNetworkGateway:
+    type: string
+    default: '192.168.24.1'
+  UndercloudNameserver:
+    type: string
+    default: ''
+  AdminPassword: #supplied by tripleo-undercloud-passwords.yaml
+    type: string
+    description: The password for the keystone admin account, used for monitoring, querying neutron etc.
+    hidden: True
+  SSLCertificate:
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+    default: ""
+    hidden: True
+  SnmpdReadonlyUserPassword:
+    description: The user password for SNMPd with readonly rights running on all Overcloud nodes
+    type: string
+    hidden: true
+
+conditions:
+
+  ssl_disabled: {equals : [{get_param: SSLCertificate}, ""]}
+
+resources:
+
+  UndercloudPostConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: deploy_identifier
+        - name: local_ip
+        - name: undercloud_dhcp_start
+        - name: undercloud_dhcp_end
+        - name: undercloud_network_cidr
+        - name: undercloud_network_gateway
+        - name: undercloud_nameserver
+        - name: admin_password
+        - name: auth_url
+        - name: snmp_readonly_user_password
+      config: {get_file: ./undercloud_post.sh}
+
+  UndercloudPostDeployment:
+    type: OS::Heat::SoftwareDeployments
+    properties:
+      servers: {get_param: servers}
+      config: {get_resource: UndercloudPostConfig}
+      input_values:
+        local_ip: {get_param: [DeployedServerPortMap, 'control_virtual_ip', fixed_ips, 0, ip_address]}
+        undercloud_dhcp_start: {get_param: UndercloudDhcpRangeStart}
+        undercloud_dhcp_end: {get_param: UndercloudDhcpRangeEnd}
+        undercloud_network_cidr: {get_param: UndercloudNetworkCidr}
+        undercloud_network_gateway: {get_param: UndercloudNetworkGateway}
+        undercloud_nameserver: {get_param: UndercloudNameserver}
+        ssl_certificate: {get_param: SSLCertificate}
+        admin_password: {get_param: AdminPassword}
+        snmp_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+        # if SSL is enabled we use the public virtual ip as the stackrc endpoint
+        auth_url:
+          if:
+          - ssl_disabled
+          - list_join:
+            - ''
+            - - 'http://'
+              - {get_param: [DeployedServerPortMap, 'control_virtual_ip', fixed_ips, 0, ip_address]}
+              - ':5000/v2.0'
+          - list_join:
+            - ''
+            - - 'https://'
+              - {get_param: [DeployedServerPortMap, 'public_virtual_ip', fixed_ips, 0, ip_address]}
+              - ':13000/v2.0'

net-config-undercloud.yaml

@@ -0,0 +1,77 @@
+heat_template_version: ocata
+description: >
+  Software Config to drive os-net-config for a simple bridge configured with a static IP address for the ctlplane network.
+parameters:
+  ControlPlaneIp:
+    default: ''
+    description: IP address/subnet on the ctlplane network
+    type: string
+  ExternalIpSubnet:
+    default: ''
+    description: IP address/subnet on the external network
+    type: string
+  InternalApiIpSubnet:
+    default: ''
+    description: IP address/subnet on the internal API network
+    type: string
+  StorageIpSubnet:
+    default: ''
+    description: IP address/subnet on the storage network
+    type: string
+  StorageMgmtIpSubnet:
+    default: ''
+    description: IP address/subnet on the storage mgmt network
+    type: string
+  TenantIpSubnet:
+    default: ''
+    description: IP address/subnet on the tenant network
+    type: string
+  ManagementIpSubnet:
+    default: ''
+    description: IP address/subnet on the management network
+    type: string
+  ControlPlaneSubnetCidr: # Override this via parameter_defaults
+    default: '24'
+    description: The subnet CIDR of the control plane network.
+    type: string
+  DnsServers: # Override this via parameter_defaults
+    default: []
+    description: A list of DNS servers (2 max for some implementations) that will be added to resolv.conf.
+    type: comma_delimited_list
+resources:
+  OsNetConfigImpl:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: disable_configure_safe_defaults
+          default: true
+      config:
+        str_replace:
+          template:
+            get_file: network/scripts/run-os-net-config.sh
+          params:
+            $network_config:
+              network_config:
+              - type: ovs_bridge
+                name: br-ctlplane
+                use_dhcp: false
+                dns_servers:
+                  get_param: DnsServers
+                addresses:
+                - ip_netmask:
+                    list_join:
+                    - /
+                    - - get_param: ControlPlaneIp
+                      - get_param: ControlPlaneSubnetCidr
+                members:
+                - type: interface
+                  name: eth1
+                  # force the MAC address of the bridge to this interface
+                  primary: true
+outputs:
+  OS::stack_id:
+    description: The OsNetConfigImpl resource.
+    value:
+      get_resource: OsNetConfigImpl
+

network/scripts/run-os-net-config.sh

@@ -108,7 +108,9 @@ EOF_CAT
 }
 
 if [ -n '$network_config' ]; then
-    trap configure_safe_defaults EXIT
+    if [ -z "${disable_configure_safe_defaults:-''}" ]; then
+        trap configure_safe_defaults EXIT
+    fi
 
     mkdir -p /etc/os-net-config
     # Note these variables come from the calling heat SoftwareConfig

overcloud.j2.yaml

@@ -1,3 +1,4 @@
+{% set primary_role_name = roles[0].name -%}
 heat_template_version: ocata
 
 description: >
@@ -415,8 +416,8 @@ resources:
 {% for role in roles %}
               - {get_attr: [{{role.name}}ServiceChain, role_data, logging_sources]}
 {% endfor %}
-      controller_ips: {get_attr: [Controller, ip_address]}
-      controller_names: {get_attr: [Controller, hostname]}
+      controller_ips: {get_attr: [{{primary_role_name}}, ip_address]}
+      controller_names: {get_attr: [{{primary_role_name}}, hostname]}
       service_ips:
         # Note (shardy) this somewhat complex yaql may be replaced
         # with a map_deep_merge function in ocata.  It merges the
@@ -454,7 +455,7 @@ resources:
               - {get_attr: [{{role.name}}IpListMap, short_service_bootstrap_hostnames]}
 {% endfor %}
       # FIXME(shardy): These require further work to move into service_ips
-      memcache_node_ips: {get_attr: [ControllerIpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MemcachedNetwork]}]}
+      memcache_node_ips: {get_attr: [{{primary_role_name}}IpListMap, net_ip_map, {get_attr: [ServiceNetMap, service_net_map, MemcachedNetwork]}]}
       NetVipMap: {get_attr: [VipMap, net_ip_map]}
       RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
       ServiceNetMap: {get_attr: [ServiceNetMap, service_net_map_lower]}
@@ -560,12 +561,12 @@ resources:
       PingTestIps:
         list_join:
         - ' '
-        - - {get_attr: [Controller, resource.0.external_ip_address]}
-          - {get_attr: [Controller, resource.0.internal_api_ip_address]}
-          - {get_attr: [Controller, resource.0.storage_ip_address]}
-          - {get_attr: [Controller, resource.0.storage_mgmt_ip_address]}
-          - {get_attr: [Controller, resource.0.tenant_ip_address]}
-          - {get_attr: [Controller, resource.0.management_ip_address]}
+        - - {get_attr: [{{primary_role_name}}, resource.0.external_ip_address]}
+          - {get_attr: [{{primary_role_name}}, resource.0.internal_api_ip_address]}
+          - {get_attr: [{{primary_role_name}}, resource.0.storage_ip_address]}
+          - {get_attr: [{{primary_role_name}}, resource.0.storage_mgmt_ip_address]}
+          - {get_attr: [{{primary_role_name}}, resource.0.tenant_ip_address]}
+          - {get_attr: [{{primary_role_name}}, resource.0.management_ip_address]}
 
   UpdateWorkflow:
     type: OS::TripleO::Tasks::UpdateWorkflow

puppet/services/heat-base.yaml

@@ -57,6 +57,7 @@ outputs:
         heat::rabbit_port: {get_param: RabbitClientPort}
         heat::debug: {get_param: Debug}
         heat::enable_proxy_headers_parsing: true
+        heat::rpc_response_timeout: 600
         # We need this because the default heat policy.json no longer works on TripleO
         # https://git.openstack.org/cgit/openstack/heat/commit/?id=ac86702172ddf01f5bdc3f3cd99d2e32ad9b7024
         heat::policy::policies:
@@ -77,6 +78,8 @@ outputs:
         heat::cron::purge_deleted::destination: '/dev/null'
         heat::db::database_db_max_retries: -1
         heat::db::database_max_retries: -1
+        heat::yaql_memory_quota: 100000
+        heat::yaql_limit_iterators: 1000
       service_config_settings:
         keystone:
           tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'

roles_data.yaml

@@ -21,7 +21,7 @@
 # on the role, defaults to an empty list. Sets the default for the
 # {{role.name}}Services parameter in overcloud.yaml
 
-- name: Controller
+- name: Controller # the 'primary' role goes first
   CountDefault: 1
   ServicesDefault:
     - OS::TripleO::Services::CACerts

roles_data_undercloud.yaml

@@ -0,0 +1,35 @@
+- name: Undercloud # the 'primary' role goes first
+  CountDefault: 1
+  disable_constraints: True
+  ServicesDefault:
+    - OS::TripleO::Services::Ntp
+    - OS::TripleO::Services::MySQL
+    - OS::TripleO::Services::MongoDb
+    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::Apache
+    - OS::TripleO::Services::RabbitMQ
+    - OS::TripleO::Services::GlanceApi
+    - OS::TripleO::Services::GlanceRegistry
+    - OS::TripleO::Services::SwiftProxy
+    - OS::TripleO::Services::SwiftStorage
+    - OS::TripleO::Services::SwiftRingBuilder
+    - OS::TripleO::Services::Memcached
+    - OS::TripleO::Services::HeatApi
+    - OS::TripleO::Services::HeatApiCfn
+    - OS::TripleO::Services::HeatEngine
+    - OS::TripleO::Services::NovaApi
+    - OS::TripleO::Services::NovaMetadata
+    - OS::TripleO::Services::NovaScheduler
+    - OS::TripleO::Services::NovaConductor
+    - OS::TripleO::Services::MistralEngine
+    - OS::TripleO::Services::MistralApi
+    - OS::TripleO::Services::MistralExecutor
+    - OS::TripleO::Services::IronicApi
+    - OS::TripleO::Services::IronicConductor
+    - OS::TripleO::Services::NovaIronic
+    - OS::TripleO::Services::Zaqar
+    - OS::TripleO::Services::NeutronServer
+    - OS::TripleO::Services::NeutronApi
+    - OS::TripleO::Services::NeutronCorePlugin
+    - OS::TripleO::Services::NeutronOvsAgent
+    - OS::TripleO::Services::NeutronDhcpAgent