heat_template_version: wallaby description: > Ceph base service. Shared by all Ceph services. parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json StackUpdateType: type: string description: > Type of update, to differentiate between UPGRADE and UPDATE cases when StackAction is UPDATE (both are the same stack action). constraints: - allowed_values: ['', 'UPGRADE'] default: '' NodeDataLookup: type: json default: {} description: json containing per-node configuration map DeploymentServerBlacklist: default: [] type: comma_delimited_list description: > List of server hostnames to blacklist from any triggered deployments. ContainerCli: type: string default: 'podman' description: CLI tool used to manage containers. constraints: - allowed_values: ['docker', 'podman'] CephEnableDashboard: type: boolean default: false description: Parameter used to trigger the dashboard deployment. CephConfigOverrides: type: json description: Extra config settings to dump into ceph.conf default: {} CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID. CephClusterName: type: string default: ceph description: The Ceph cluster name. constraints: - allowed_pattern: "[a-zA-Z0-9]+" description: > The Ceph cluster name must be at least 1 character and contain only letters and numbers. CephMsgrSecureMode: type: boolean default: false description: > Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph daemons and also between Ceph clients and daemons. CephPoolDefaultPgNum: description: default pg_num to use for the RBD pools type: number default: 16 CephPools: description: > It can be used to override settings for one of the predefined pools, or to create additional ones. Example: [{"name": "volumes", "pg_num": 64, "rule_name": "replicated_rule"}, {"name": "vms", "target_size_ratio": "0.4", "rule_name": "replicated_rule"}] default: [] type: json CinderRbdPoolName: default: volumes type: string CinderRbdExtraPools: default: [] description: > List of extra Ceph pools for use with RBD backends for Cinder. An extra Cinder RBD backend driver is created for each pool in the list. This is in addition to the standard RBD backend driver associated with the CinderRbdPoolName. type: comma_delimited_list CinderBackupRbdPoolName: default: backups type: string GlanceRbdPoolName: default: images type: string GlanceBackend: default: swift description: The short name of the Glance backend to use. Should be one of swift, rbd, cinder, or file type: string constraints: - allowed_values: ['swift', 'file', 'rbd', 'cinder'] GnocchiRbdPoolName: default: metrics type: string NovaRbdPoolName: default: vms type: string description: The pool name for RBD backend ephemeral storage. tags: - role_specific CephClientKey: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true constraints: - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephClientUserName: default: openstack type: string CephRgwClientName: default: radosgw type: string CephRgwKey: description: The cephx key for the radosgw client. Can be created with ceph-authtool --gen-print-key. type: string hidden: true constraints: - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephPoolDefaultSize: description: default minimum replication for RBD copies type: number default: 3 ManilaCephFSDataPoolName: default: manila_data type: string ManilaCephFSMetadataPoolName: default: manila_metadata type: string ManilaCephFSShareBackendName: default: cephfs type: string ManilaCephFSCephFSAuthId: default: manila type: string CephManilaClientKey: default: '' description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true constraints: - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephIPv6: default: False type: boolean SwiftPassword: description: The password for the swift service account type: string hidden: true ContainerCephDaemonImage: description: image type: string # start DEPRECATED options for compatibility with older versions CephAnsiblePlaybookVerbosity: default: 1 description: The number of '-v', '-vv', etc. passed to ansible-playbook command type: number constraints: - range: { min: 1, max: 5 } CephAnsibleEnvironmentVariables: default: {} description: Mapping of Ansible environment variables to override defaults. type: json SwiftFetchDirGetTempurl: default: '' description: A temporary Swift URL to download the fetch_directory from. type: string SwiftFetchDirPutTempurl: default: '' description: A temporary Swift URL to upload the fetch_directory to. type: string LocalCephAnsibleFetchDirectoryBackup: default: '' description: Filesystem path on undercloud to persist a copy of the data from the ceph-ansible fetch directory. Used as an alternative to backing up the fetch_directory in Swift. Path must be writable and readable by the user running ansible from config-download, e.g. the mistral user in the mistral-executor container is able to read/write to /var/lib/mistral/ceph_fetch type: string CephOsdPercentageMin: default: 0 description: The minimum percentage of Ceph OSDs which must be running and in the Ceph cluster, according to ceph osd stat, for the deployment not to fail. Used to catch deployment errors early. Set this value to 0 to disable this check. Deprecated in Wallaby because of the move from ceph-ansible to cephadm; the later only brings up OSDs out of band and deployment does not block while waiting for them to come up, thus we cannot do this anymore. type: number CephAnsiblePlaybook: type: comma_delimited_list description: > List of paths to the ceph-ansible playbooks to execute. If not specified, the playbook will be determined automatically depending on type of operation being performed (deploy/update/upgrade). default: ['default'] CephAnsibleExtraConfig: type: json description: Extra vars for the ceph-ansible playbook default: {} CephAnsibleSkipTags: type: string description: List of ceph-ansible tags to skip default: 'package-install,with_pkg' CephAnsibleRepo: type: string description: | The repository that should be used to install the right ceph-ansible package. This value can be used by tripleo-validations to double check the right ceph-ansible version is installed. default: 'centos-ceph-nautilus' CephAnsibleWarning: type: boolean description: | In particular scenarios we want this validation to show the warning but don't fail because the package is installed on the system but repos are disabled. default: true # end DEPRECATED options for compatibility with older versions ContainerImageRegistryCredentials: type: json hidden: true description: | Mapping of image registry hosts to login credentials. Must be in the following example format docker.io: username: pa55word '192.0.2.1:8787': registry_username: password default: {} CephExtraKeys: type: json hidden: true description: | List of maps describing extra keys which will be created on the deployed Ceph cluster. Uses ceph-ansible/library/ceph_key.py ansible module. Each item in the list must be in the following example format - name: "client.glance" caps: mgr: "allow *" mon: "profile rbd" osd: "profile rbd pool=images" key: "AQBRgQ9eAAAAABAAv84zEilJYZPNuJ0Iwn9Ndg==" mode: "0600" default: [] CinderEnableRbdBackend: default: false description: Whether to enable or not the Rbd backend for Cinder type: boolean NovaEnableRbdBackend: default: false description: Whether to enable the Rbd backend for Nova ephemeral storage. type: boolean tags: - role_specific CinderBackupBackend: default: swift description: The short name of the Cinder Backup backend to use. type: string constraints: - allowed_values: ['swift', 'ceph', 'nfs', 'gcs', 's3'] GnocchiBackend: default: swift description: The short name of the Gnocchi backend to use. Should be one of swift, rbd, file or s3. type: string constraints: - allowed_values: ['swift', 'file', 'rbd', 's3'] EnableInternalTLS: type: boolean default: false CephClientConfigVars: default: "/home/stack/ceph_client.yml" type: string description: The undercloud path where cephadm exports the Ceph Client configuration. CephAnsibleSkipClient: description: | This boolean (when true) prevents the ceph-ansible client role execution by adding the ceph-ansible tag 'ceph_client' to the --skip-tags list. type: boolean default: true CephDynamicSpec: type: boolean default: true description: | If true the tripleo_run_cephadm role will build an orchestrator-cli-service-spec file based on the data found in the inventory (which is based on composable roles) by using the ceph_spec_bootstrap Ansible module in tripleo-ansible. CephSpecPath: default: "{{ playbook_dir }}/cephadm/ceph_spec.yaml" type: string description: | The path on the undercloud to a valid Ceph orchestrator CLI service spec file. If you do not want the spec to be generated automatically and instead prefer to supply your own spec, then place your spec at this path on the undercloud and set CephDynamicSpec to false. If CephDynamicSpec is true and CephSpecPath is set to a valid path, then the spec will be created at that path before it is used to deploy Ceph. By default the spec will be created by config-download in config-download//cephadm/ceph_spec.yaml. CephOsdSpec: description: | If CephDynamicSpec is true, then any valid OSD service specification set in CephOsdSpec will appear in the genereated Ceph spec for the 'osd' service_type. Replaces CephAnsibleDisksConfig. This parameter has no effect if CephDynamicSpec is false. Use this paramter to override the default of using all available block devices as data_devices. See the Ceph documentation for cephadm drivegroups. Exclude service_type, service_id, and placement from this parameter. In the example below all rotating devices will be data devices and all non-rotating devices will be used as shared devices (wal, db). CephOsdSpec: data_devices: rotational: 1 db_devices: rotational: 0 type: json default: data_devices: all: true CephSpecFqdn: default: false type: boolean description: | If both CephDynamicSpec and CephSpecFqdn are true, then the hostname and hosts of the generated Ceph spec will have their fully qualified domain name instead of their short hostname. This parameter has no effect if CephDynamicSpec is false. CephCrushRules: type: json description: | List of rules describing the device classes that will be found on the deployed Ceph cluster. They can be specified in the following form - name: HDD root: default type: host class: hdd default: true default: [] parameter_groups: - label: deprecated description: Do not use deprecated params, they will be removed. parameters: - LocalCephAnsibleFetchDirectoryBackup - SwiftFetchDirGetTempurl - SwiftFetchDirPutTempurl - CephIPv6 - CephAnsibleEnvironmentVariables - CephAnsibleExtraConfig - CephAnsiblePlaybook - CephAnsiblePlaybookVerbosity - CephAnsibleRepo - CephAnsibleSkipTags - CephAnsibleSkipClient - CephAnsibleWarning - CephOsdPercentageMin conditions: msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]} custom_registry_host: yaql: data: {get_param: ContainerCephDaemonImage} expression: $.data.split('/')[0].matches('(\.|:)') perform_upgrade: equals: [{get_param: StackUpdateType}, 'UPGRADE'] ceph_ansible_skip_tags_set: not: equals: - {get_param: CephAnsibleSkipTags} - '' ceph_authenticated_registry: and: - not: yaql: data: cred: {get_param: ContainerImageRegistryCredentials} ns: yaql: expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*?)/(.*)').split($location)[1] data: {get_param: ContainerCephDaemonImage} expression: let(c => $.data.cred) -> $c.get($.data.ns, {}).keys().last(default => "").isEmpty() - not: yaql: data: cred: {get_param: ContainerImageRegistryCredentials} ns: yaql: expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*?)/(.*)').split($location)[1] data: {get_param: ContainerCephDaemonImage} expression: let(c => $.data.cred) -> $c.get($.data.ns, {}).values().last(default => "").isEmpty() is_ipv6: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, CephMonNetwork]}]} - 6 internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainerImageUrlParts: type: OS::Heat::Value properties: type: json value: host: if: - custom_registry_host - yaql: expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*?)/(.*)').split($location)[1] data: {get_param: ContainerCephDaemonImage} - docker.io image: if: - custom_registry_host - yaql: expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*?)/(.*)').split($location)[2] data: {get_param: ContainerCephDaemonImage} - yaql: expression: $.data.rightSplit(':', 1)[0] data: {get_param: ContainerCephDaemonImage} image_tag: yaql: expression: $.data.rightSplit(':', 1)[1] data: {get_param: ContainerCephDaemonImage} MsgrSecureModeOverrides: type: OS::Heat::Value properties: type: json value: vars: global: ms_cluster_mode: secure ms_service_mode: secure ms_client_mode: secure DefaultCephConfigOverrides: type: OS::Heat::Value properties: type: json value: vars: global: osd_pool_default_size: {get_param: CephPoolDefaultSize} osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} osd_pool_default_pgp_num: {get_param: CephPoolDefaultPgNum} CephBasePoolVars: type: OS::Heat::Value properties: type: json value: vars: gnocchi_pool: name: {get_param: GnocchiRbdPoolName} enabled: if: - equals: - {get_param: GnocchiBackend} - 'rbd' - true - false nova_pool: name: {get_param: NovaRbdPoolName} enabled: {get_param: NovaEnableRbdBackend} glance_pool: name: {get_param: GlanceRbdPoolName} enabled: if: - equals: - {get_param: GlanceBackend} - 'rbd' - true - false cinder_pool: name: {get_param: CinderRbdPoolName} enabled: {get_param: CinderEnableRbdBackend} cinder_extra_pools: {get_param: CinderRbdExtraPools} cinder_backup_pool: name: {get_param: CinderBackupRbdPoolName} enabled: if: - equals: - {get_param: CinderBackupBackend} - 'ceph' - true - false extra_pools: {get_param: CephPools} pg_num: {get_param: CephPoolDefaultPgNum} CephManilaPoolVars: type: OS::Heat::Value properties: type: json value: vars: data: {get_param: ManilaCephFSDataPoolName} metadata: {get_param: ManilaCephFSMetadataPoolName} data_pg_num: {get_param: CephPoolDefaultPgNum} metadata_pg_num: {get_param: CephPoolDefaultPgNum} CephKeyVars: type: OS::Heat::Value properties: type: json value: vars: openstack_client: name: {get_param: CephClientUserName} key: {get_param: CephClientKey} manila: name: {get_param: ManilaCephFSCephFSAuthId} key: {get_param: CephManilaClientKey} radosgw: name: {get_param: CephRgwClientName} key: {get_param: CephRgwKey} extra_keys: {get_param: CephExtraKeys} CephAdmVars: type: OS::Heat::Value properties: type: json value: vars: tripleo_cephadm_fsid: {get_param: CephClusterFSID} tripleo_cephadm_cluster: {get_param: CephClusterName} tripleo_cephadm_container_cli: {get_param: ContainerCli} tripleo_ceph_client_vars: {get_param: CephClientConfigVars} tripleo_cephadm_dashboard_enabled: {get_param: CephEnableDashboard} cephfs: {get_param: ManilaCephFSShareBackendName} tripleo_cephadm_container_ns: {get_attr: [ContainerImageUrlParts, value, host]} tripleo_cephadm_container_image: {get_attr: [ContainerImageUrlParts, value, image]} tripleo_cephadm_container_tag: {get_attr: [ContainerImageUrlParts, value, image_tag]} tripleo_cephadm_crush_rules: {get_param: CephCrushRules} ceph_container_registry_auth: if: - ceph_authenticated_registry - true - false ceph_container_registry_username: yaql: data: cred: {get_param: ContainerImageRegistryCredentials} ns: {get_attr: [ContainerImageUrlParts, value, host]} expression: let(c => $.data.cred) -> $c.get($.data.ns, {}).keys().last(default => "") ceph_container_registry_password: yaql: data: cred: {get_param: ContainerImageRegistryCredentials} ns: {get_attr: [ContainerImageUrlParts, value, host]} expression: let(c => $.data.cred) -> $c.get($.data.ns, {}).values().last(default => "") public_network: list_join: - ',' - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}] cluster_network: list_join: - ',' - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephClusterNetwork]}] outputs: role_data: description: Role data for the Ceph base service. value: service_name: ceph_base upgrade_tasks: [] puppet_config: config_image: '' config_volume: '' step_config: '' docker_config: {} config_settings: {} external_deploy_tasks: - name: ceph_base_external_deploy_task when: step|int == 2 tags: - ceph block: - name: create cephadm working directory and related files include_role: name: tripleo_run_cephadm tasks_from: prepare.yml vars: ceph_pools: {get_attr: [CephBasePoolVars, value, vars]} manila_pools: {get_attr: [CephManilaPoolVars, value, vars]} ceph_keys: {get_attr: [CephKeyVars, value, vars]} ceph_config_overrides: {get_param: CephConfigOverrides} tripleo_run_cephadm_spec_path: {get_param: CephSpecPath} tripleo_cephadm_dynamic_spec: {get_param: CephDynamicSpec} ceph_spec_fqdn: {get_param: CephSpecFqdn} ceph_osd_spec: {get_param: CephOsdSpec} ceph_default_overrides: if: - msgr_secure_mode - yaql: expression: ($.data.default).mergeWith($.data.secure) data: default: {get_attr: [DefaultCephConfigOverrides, value, vars]} secure: {get_attr: [MsgrSecureModeOverrides, value, vars]} - {get_attr: [DefaultCephConfigOverrides, value, vars]} cephadm_extra_vars: # cephadm execution map_merge: - {get_attr: [CephAdmVars, value, vars]} ceph_admin_extra_vars: # user creation tripleo_admin_generate_key: false distribute_private_key: true tripleo_admin_user: ceph-admin ssh_servers: "{{ groups['ceph_mon'] | union(groups['ceph_osd']|default([])) | union(groups['ceph_mgr']|default([])) | union(groups['ceph_rgw']|default([])) | union(groups['ceph_mds']|default([])) | union(groups['ceph_nfs']|default([])) | union(groups['ceph_rbdmirror']|default([])) | unique }}" - name: Prepare cephadm user and keys include_role: name: tripleo_run_cephadm tasks_from: enable_ceph_admin_user.yml # This is supposed to run a playbook which is responsible to # deploy Ceph using cephadm. # The storage network is supposed to be available since we are # at step 2 # TODO: (fpantano) Remove this section when --network-ports is # available and Ceph deployment can be moved **before** # the overcloud. - name: Deploy the ceph cluster using cephadm include_role: name: tripleo_run_cephadm