heat_template_version: queens description: > OpenStack Glance API service configured with Puppet parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json Debug: default: false description: Set to True to enable debugging on all services. type: boolean GlanceDebug: default: '' description: Set to True to enable debugging Glance service. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true GlanceWorkers: default: '' description: | Number of API worker processes for Glance. If left unset (empty string), the default value will result in the configuration being left unset and a system-dependent default value will be chosen (e.g.: number of processors). Please note that this will create a large number of processes on systems with a large number of CPUs resulting in excess memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string GlanceApiLoggingSource: type: json default: tag: openstack.glance.api path: /var/log/glance/api.log GlanceImageMemberQuota: default: 128 description: | Maximum number of image members per image. Negative values evaluate to unlimited. type: number EnableInternalTLS: type: boolean default: false CephClientUserName: default: openstack type: string CephClusterName: type: string default: ceph description: The Ceph cluster name. constraints: - allowed_pattern: "[a-zA-Z0-9]+" description: > The Ceph cluster name must be at least 1 character and contain only letters and numbers. GlanceNotifierStrategy: description: Strategy to use for Glance notification queue type: string default: noop GlanceLogFile: description: The filepath of the file to use for logging messages from Glance. type: string default: '' GlanceBackend: default: swift description: The short name of the Glance backend to use. Should be one of swift, rbd, cinder, or file type: string constraints: - allowed_values: ['swift', 'file', 'rbd', 'cinder'] GlanceNfsEnabled: default: false description: > When using GlanceBackend 'file', mount NFS share for image storage. type: boolean GlanceNfsShare: default: '' description: > NFS share to mount for image storage (when GlanceNfsEnabled is true) type: string GlanceNetappNfsEnabled: default: false description: > When using GlanceBackend 'file', Netapp mount NFS share for image storage. type: boolean NetappShareLocation: default: '' description: > Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true) type: string GlanceNfsOptions: default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0' description: > NFS mount options for image storage (when GlanceNfsEnabled is true) type: string GlanceRbdPoolName: default: images type: string NovaEnableRbdBackend: default: false description: Whether to enable the Rbd backend for Nova ephemeral storage. type: boolean tags: - role_specific GlanceShowMultipleLocations: default: false description: | Whether to show multiple image locations e.g for copy-on-write support on RBD or Netapp backends. Potential security risk, see glance.conf for more information. type: boolean GlanceEnabledImportMethods: default: 'web-download' description: > List of enabled Image Import Methods. Valid values in the list are 'glance-direct' and 'web-download' type: comma_delimited_list GlanceStagingNfsShare: default: '' description: > NFS share to mount for image import staging type: string GlanceNodeStagingUri: default: 'file:///var/lib/glance/staging' description: > URI that specifies the staging location to use when importing images type: string GlanceStagingNfsOptions: default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0' description: > NFS mount options for NFS image import staging type: string RabbitPassword: description: The password for RabbitMQ type: string hidden: true RabbitUserName: default: guest description: The username for RabbitMQ type: string RabbitClientPort: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number RabbitClientUseSSL: default: false description: > Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint GlanceApiPolicies: description: | A hash of policies to configure for Glance API. e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json NotificationDriver: type: string default: 'messagingv2' description: Driver or drivers to handle sending notifications. constraints: - allowed_values: [ 'messagingv2', 'noop' ] conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']} service_debug_unset: {equals : [{get_param: GlanceDebug}, '']} cinder_backend_enabled: {equals: [{get_param: GlanceBackend}, cinder]} resources: TLSProxyBase: type: OS::TripleO::Services::TLSProxyBase properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: description: Role data for the Glance API role. value: service_name: glance_api monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} config_settings: map_merge: - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: glance password: {get_param: GlancePassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /glance query: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} glance::api::enable_proxy_headers_parsing: true glance::api::debug: if: - service_debug_unset - {get_param: Debug } - {get_param: GlanceDebug } glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: - 9292 - 13292 glance::api::authtoken::project_name: 'service' glance::api::authtoken::user_domain_name: 'Default' glance::api::authtoken::project_domain_name: 'Default' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true glance::api::show_multiple_locations: {get_param: GlanceShowMultipleLocations} glance::api::os_region_name: {get_param: KeystoneRegion} glance::api::image_member_quota: {get_param: GlanceImageMemberQuota} glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods} glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR tripleo::profile::base::glance::api::tls_proxy_bind_ip: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} tripleo::profile::base::glance::api::tls_proxy_fqdn: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} tripleo::profile::base::glance::api::tls_proxy_port: get_param: [EndpointMap, GlanceInternal, port] # Bind to localhost if internal TLS is enabled, since we put a TLs # proxy in front. glance::api::bind_host: if: - use_tls_proxy - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} glance_notifier_strategy: {get_param: GlanceNotifierStrategy} glance_log_file: {get_param: GlanceLogFile} glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] } glance::backend::swift::swift_store_user: service:glance glance::backend::swift::swift_store_key: {get_param: GlancePassword} glance::backend::swift::swift_store_create_container_on_put: true glance::backend::swift::swift_store_auth_version: 3 glance::backend::rbd::rbd_store_ceph_conf: list_join: - '' - - '/etc/ceph/' - {get_param: CephClusterName} - '.conf' glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} glance_backend: {get_param: GlanceBackend} glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver} tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} - if: - glance_workers_unset - {} - glance::api::workers: {get_param: GlanceWorkers} - if: - cinder_backend_enabled - glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]} glance::backend::cinder::cinder_store_project_name: 'service' glance::backend::cinder::cinder_store_user_name: 'glance' glance::backend::cinder::cinder_store_password: {get_param: GlancePassword} - {} service_config_settings: fluentd: tripleo_fluentd_groups_glance_api: - glance tripleo_fluentd_sources_glance_api: - {get_param: GlanceApiLoggingSource} keystone: glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} glance::keystone::auth::password: {get_param: GlancePassword } glance::keystone::auth::region: {get_param: KeystoneRegion} glance::keystone::auth::tenant: 'service' mysql: glance::db::mysql::password: {get_param: GlancePassword} glance::db::mysql::user: glance glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} glance::db::mysql::dbname: glance glance::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::glance::api host_prep_tasks: - name: Mount Netapp NFS vars: netapp_nfs_backend_enable: {get_param: GlanceNetappNfsEnabled} block: - name: set_fact: remote_file_path: /etc/glance/glance-metadata-file.conf - name: file: path: "{{ remote_file_path }}" state: touch - stat: path="{{ remote_file_path }}" register: file_path - copy: content: {"share_location" : "{{item.NETAPP_SHARE}}", "mount_point" : "/var/lib/glance/images", "type" : "nfs",} dest: "{{ remote_file_path }}" with_items: - NETAPP_SHARE: {get_param: NetappShareLocation} when: - file_path.stat.exists == true - name: mount: name=/var/lib/glance/images src="{{item.NETAPP_SHARE}}" fstype=nfs4 opts="{{item.NFS_OPTIONS}}" state=mounted with_items: - NETAPP_SHARE: {get_param: NetappShareLocation} NFS_OPTIONS: {get_param: GlanceNfsOptions} when: netapp_nfs_backend_enable - name: Mount Node Staging Location vars: glance_node_staging_uri: {get_param: GlanceNodeStagingUri} glance_staging_nfs_share: {get_param: GlanceStagingNfsShare} glance_nfs_options: {get_param: GlanceStagingNfsOptions} # Gleaning mount point by stripping "file://" prefix from staging uri mount: name="{{glance_node_staging_uri[7:]}}" src="{{glance_staging_nfs_share}}" fstype=nfs opts="{{glance_nfs_options}}" state=mounted when: glance_staging_nfs_share != '' upgrade_tasks: - name: Check if glance_api is deployed command: systemctl is-enabled openstack-glance-api tags: common ignore_errors: True register: glance_api_enabled #(TODO) Remove all glance-registry bits in Pike. - name: Check if glance_registry is deployed command: systemctl is-enabled openstack-glance-registry tags: common ignore_errors: True register: glance_registry_enabled - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running" shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b' tags: validation when: - step|int == 0 - glance_api_enabled.rc == 0 - name: Stop glance_api service when: - step|int == 1 - glance_api_enabled.rc == 0 service: name=openstack-glance-api state=stopped - name: Stop and disable glance registry (removed for Ocata) when: - step|int == 1 - glance_registry_enabled.rc == 0 service: name=openstack-glance-registry state=stopped enabled=no metadata_settings: get_attr: [TLSProxyBase, role_data, metadata_settings]