heat_template_version: wallaby description: > OpenStack containerized Rabbitmq service parameters: ContainerRabbitmqImage: description: image type: string tags: - role_specific ContainerRabbitmqConfigImage: description: The container image to use for the rabbitmq config_volume type: string tags: - role_specific EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json RabbitCookie: type: string default: '' hidden: true EnableInternalTLS: type: boolean default: false RabbitUserName: default: guest description: The username for RabbitMQ type: string RabbitPassword: description: The password for RabbitMQ type: string hidden: true RabbitFDLimit: default: 65536 description: Configures RabbitMQ FD limit type: number RabbitTCPBacklog: default: 4096 description: Configures RabbitMQ maximum TCP Backlog type: number RabbitIPv6: default: false description: Enable IPv6 in RabbitMQ type: boolean RabbitHAQueues: description: The number of HA queues to be configured in rabbit. The default is -1 which translates to "ha-mode all". The special value 0 will be automatically overridden to CEIL(N/2) where N is the number of nodes running rabbitmq. default: 0 type: number RabbitNetTickTime: description: The number of seconds to configure the value of the erlang net_ticktime kernel variable. default: 15 type: number RabbitFIPS: type: boolean default: false description: Configures RabbitMQ to run in FIPS mode RabbitAdditionalErlArgs: description: Additional parameters passed to the Erlang subsystem. The string needs to be enclosed in quotes twice. We default to '+sbwt none +sbwtdcpu none +sbwtdio none' in order to have the erlang vm be less busy on spinlocks, but we allow a simple way of overriding it. default: "'+sbwt none +sbwtdcpu none +sbwtdio none'" type: string MonitoringSubscriptionRabbitmq: default: 'overcloud-rabbitmq' type: string DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. RabbitmqCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. RabbitmqEnableManagementAccess: type: boolean default: false description: Allow access to RabbitMQ management plugin over network parameter_groups: - label: deprecated description: | The following parameters are deprecated and will be removed. They should not be relied on for new deployments. If you have concerns regarding deprecated parameters, please contact the TripleO development team on IRC or the OpenStack mailing list. parameters: - RabbitIPv6 conditions: is_ipv6: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]} - 6 key_size_override_set: not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} rabbitmq_cacert_set: not: {equals: [{get_param: InternalTLSCAFile}, '']} resources: ContainersCommon: type: ../containers-common.yaml RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - ContainerRabbitmqImage: ContainerRabbitmqImage ContainerRabbitmqConfigImage: ContainerRabbitmqConfigImage - values: {get_param: [RoleParameters]} - values: ContainerRabbitmqImage: {get_param: ContainerRabbitmqImage} ContainerRabbitmqConfigImage: {get_param: ContainerRabbitmqConfigImage} outputs: role_data: description: Role data for the Rabbitmq API role. value: service_name: rabbitmq firewall_rules: '109 rabbitmq': dport: list_concat: - - 4369 - 5672 - 25672 - 25673-25683 - if: - {get_param: RabbitmqEnableManagementAccess} - - 15672 monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} # RabbitMQ plugins initialization occurs on every node config_settings: map_merge: - rabbitmq::file_limit: {get_param: RabbitFDLimit} rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_pass: {get_param: RabbitPassword} rabbit_ipv6: {if: [is_ipv6, true, false]} rabbitmq::delete_guest_user: false rabbitmq::wipe_db_on_cookie_change: true rabbitmq::port: 5672 rabbitmq::loopback_users: [] rabbitmq::tcp_backlog: {get_param: RabbitTCPBacklog} rabbitmq::repos_ensure: false rabbitmq::tcp_keepalive: true # https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement) rabbitmq_environment: LANG: 'en_US.UTF-8' LC_ALL: 'en_US.UTF-8' NODE_PORT: '' NODE_IP_ADDRESS: '' RABBITMQ_NODENAME: str_replace: template: "rabbit@%{lookup('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} RABBITMQ_USE_LONGNAME: 'true' RABBITMQ_CTL_DIST_PORT_MIN: '25673' RABBITMQ_CTL_DIST_PORT_MAX: '25683' 'export ERL_EPMD_ADDRESS': "%{lookup('rabbitmq::interface')}" tripleo::profile::base::rabbitmq::additional_erl_args: {get_param: RabbitAdditionalErlArgs} rabbitmq_kernel_variables: inet_dist_listen_min: '25672' inet_dist_listen_max: '25672' net_ticktime: {get_param: RabbitNetTickTime} rabbitmq_config_variables: cluster_partition_handling: 'ignore' queue_master_locator: '<<"min-masters">>' rabbitmq::config_additional_variables: lager: '[{crash_log_count, 0}, { crash_log_date, ""}, { crash_log_size, 0 }]' rabbitmq::erlang_cookie: {get_param: RabbitCookie} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR rabbitmq::interface: str_replace: template: "%{lookup('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues} rabbitmq::ssl: {get_param: EnableInternalTLS} rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS} rabbitmq::ssl_port: 5672 rabbitmq::ssl_depth: 1 rabbitmq::ssl_only: {get_param: EnableInternalTLS} rabbitmq::ssl_interface: str_replace: template: "%{lookup('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} # TODO(jaosorior): Remove this once we set a proper default in # puppet-tripleo tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS} tripleo::profile::base::rabbitmq::fips_mode: {get_param: RabbitFIPS} rabbitmq::collect_statistics_interval: 30000 rabbitmq::admin_enable: false rabbitmq::management_enable: true rabbitmq::use_config_file_for_plugins: true rabbitmq::management_ip_address: if: - {get_param: RabbitmqEnableManagementAccess} - str_replace: template: "%{lookup('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqManagementNetwork]} - 127.0.0.1 rabbitmq::management_port: 15672 rabbitmq::config_management_variables: rates_mode: none tripleo::certmonger::rabbitmq::postsave_cmd: if: - {get_param: EnableInternalTLS} - true # Only set CAs then InternalTLSCAFile is not '' - if: - rabbitmq_cacert_set - rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile} rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile} - if: - {get_param: EnableInternalTLS} - tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' tripleo::profile::base::rabbitmq::certificate_specs: service_certificate: '/etc/pki/tls/certs/rabbitmq.crt' service_key: '/etc/pki/tls/private/rabbitmq.key' # BEGIN DOCKER SETTINGS puppet_config: config_volume: rabbitmq step_config: list_join: - "\n" - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" - "include tripleo::profile::base::rabbitmq" config_image: &rabbitmq_config_image {get_attr: [RoleParametersValue, value, ContainerRabbitmqConfigImage]} kolla_config: /var/lib/kolla/config_files/rabbitmq.json: command: /usr/lib/rabbitmq/bin/rabbitmq-server config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-tls/*" dest: "/" merge: true preserve_properties: true optional: true permissions: - path: /var/lib/rabbitmq owner: rabbitmq:rabbitmq recurse: true - path: /etc/pki/tls/certs/rabbitmq.crt owner: rabbitmq:rabbitmq optional: true - path: /etc/pki/tls/private/rabbitmq.key owner: rabbitmq:rabbitmq optional: true docker_config: # Kolla_bootstrap runs before permissions set by kolla_config step_1: rabbitmq_init_logs: start_order: 0 detach: false image: &rabbitmq_image {get_attr: [RoleParametersValue, value, ContainerRabbitmqImage]} net: none privileged: false user: root volumes: - /var/log/containers/rabbitmq:/var/log/rabbitmq command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq'] rabbitmq_bootstrap: start_order: 1 detach: false image: *rabbitmq_image net: host privileged: false volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_BOOTSTRAP: true # NOTE: this should force this container to re-run on each # update (scale-out, etc.) TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} RABBITMQ_CLUSTER_COOKIE: {get_param: RabbitCookie} rabbitmq: start_order: 2 image: *rabbitmq_image net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:z - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS container_puppet_tasks: # RabbitMQ users and policies initialization occurs only on single node step_2: config_volume: 'rabbit_init_tasks' puppet_tags: 'rabbitmq_policy,rabbitmq_user' step_config: 'include tripleo::profile::base::rabbitmq' config_image: *rabbitmq_config_image volumes: - /var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq:/etc/rabbitmq:ro - /var/lib/rabbitmq:/var/lib/rabbitmq metadata_settings: if: - {get_param: EnableInternalTLS} - - service: rabbitmq network: {get_param: [ServiceNetMap, RabbitmqNetwork]} type: node deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: rabbitmq dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} principal: str_replace: template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') service_crt="/etc/pki/tls/certs/rabbitmq.crt" service_key="/etc/pki/tls/private/rabbitmq.key" if echo "$container_name" | grep -q "^rabbitmq-bundle"; then # lp#1917868: Do not use podman cp with HA containers as they get # frozen temporarily and that can make pacemaker operation fail. tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv # no need to update the mount point, because pacemaker # recreates the container when it's restarted else # Refresh the cert at the mount-point {{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt" # Refresh the key at the mount-point {{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" fi # Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt" {{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key" # Trigger a pem cache clear in RabbitMQ to read the new certificates {{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()." key_size: if: - key_size_override_set - {get_param: RabbitmqCertificateKeySize} - {get_param: CertificateKeySize} ca: ipa host_prep_tasks: - name: creat fcontext entry for rabbitmq data community.general.sefcontext: target: "/var/lib/rabbitmq(/.*)?" setype: container_file_t state: present - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } # TODO: Removal of package upgrade_tasks: [] update_tasks: [] # TODO: Are we sure we want to support this. Rolling update # without pacemaker may fail. Do we test this ? In any case, # this is under tripleo_container_manage control so the latest image should be # pulled in by the deploy steps. Same question for other # usually managed by pacemaker container.