238 lines
8.2 KiB
YAML
238 lines
8.2 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Nova Migration Target service
|
|
|
|
parameters:
|
|
ContainerNovaComputeImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerNovaLibvirtConfigImage:
|
|
description: The container image to use for the nova_libvirt config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
MigrationSshKey:
|
|
type: json
|
|
description: >
|
|
SSH key for migration.
|
|
Expects a dictionary with keys 'public_key' and 'private_key'.
|
|
Values should be identical to SSH public/private key files.
|
|
hidden: true
|
|
default:
|
|
public_key: ''
|
|
private_key: ''
|
|
MigrationSshPort:
|
|
default: 2022
|
|
description: Target port for migration over ssh
|
|
type: number
|
|
constraints:
|
|
- range: { min: 1, max: 65535 }
|
|
|
|
# DEPRECATED: the following options are deprecated and are currently maintained
|
|
# for backwards compatibility. They will be removed in future release.
|
|
DockerNovaMigrationSshdPort:
|
|
default: 0
|
|
description: Port that dockerized nova migration target sshd service
|
|
binds to.
|
|
type: number
|
|
constraints:
|
|
- range: { min: 0, max: 65535 }
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: Do not use deprecated params, they will be removed.
|
|
parameters:
|
|
- DockerNovaMigrationSshdPort
|
|
|
|
conditions:
|
|
docker_nova_migration_ssh_port_set: {not: {equals: [{get_param: DockerNovaMigrationSshdPort}, 0]}}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerNovaComputeImage: ContainerNovaComputeImage
|
|
ContainerNovaLibvirtConfigImage: ContainerNovaLibvirtConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerNovaComputeImage: {get_param: ContainerNovaComputeImage}
|
|
ContainerNovaLibvirtConfigImage: {get_param: ContainerNovaLibvirtConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Migration Target service.
|
|
value:
|
|
service_name: nova_migration_target
|
|
firewall_rules:
|
|
map_merge:
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>:
|
|
get_param:
|
|
- ServiceData
|
|
- net_cidr_map
|
|
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
template:
|
|
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
|
|
source: <%net_cidr%>
|
|
proto: 'tcp'
|
|
dport: {get_param: MigrationSshPort}
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>:
|
|
get_param:
|
|
- ServiceData
|
|
- net_cidr_map
|
|
- {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
template:
|
|
'113 nova_migration_target accept api subnet <%net_cidr%>':
|
|
source: <%net_cidr%>
|
|
proto: 'tcp'
|
|
dport: {get_param: MigrationSshPort}
|
|
config_settings:
|
|
tripleo::profile::base::nova::migration::target::ssh_authorized_keys:
|
|
- {get_param: [ MigrationSshKey, public_key ]}
|
|
tripleo::profile::base::sshd::listen:
|
|
- str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
- str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
tripleo::profile::base::sshd::port:
|
|
- if:
|
|
- docker_nova_migration_ssh_port_set
|
|
- {get_param: DockerNovaMigrationSshdPort}
|
|
- {get_param: MigrationSshPort}
|
|
tripleo::profile::base::sshd::password_authentication: 'no'
|
|
tripleo::profile::base::sshd::options:
|
|
HostKey:
|
|
- '/etc/ssh/ssh_host_rsa_key'
|
|
- '/etc/ssh/ssh_host_ecdsa_key'
|
|
- '/etc/ssh/ssh_host_ed25519_key'
|
|
SyslogFacility: 'AUTHPRIV'
|
|
AllowUsers: 'nova_migration'
|
|
AuthorizedKeysFile: '.ssh/authorized_keys'
|
|
ChallengeResponseAuthentication: 'no'
|
|
GSSAPIAuthentication: 'no'
|
|
GSSAPICleanupCredentials: 'no'
|
|
UsePAM: 'yes'
|
|
UseDNS: 'no'
|
|
AllowTcpForwarding: 'no'
|
|
X11Forwarding: 'no'
|
|
AcceptEnv:
|
|
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
|
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
|
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
|
- 'XMODIFIERS'
|
|
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
|
puppet_config:
|
|
config_volume: nova_libvirt
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include tripleo::profile::base::sshd
|
|
- include tripleo::profile::base::nova::migration::target
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerNovaLibvirtConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/nova-migration-target.json:
|
|
command: "/usr/sbin/sshd -D"
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: /host-ssh/ssh_host_*_key
|
|
dest: /etc/ssh/
|
|
owner: "root"
|
|
perm: "0600"
|
|
host_prep_tasks:
|
|
- name: nova migration target install task
|
|
include_role:
|
|
name: tripleo_nova_migration_target
|
|
tasks_from: install.yaml
|
|
docker_config:
|
|
step_4:
|
|
nova_migration_target:
|
|
image: {get_attr: [RoleParametersValue, value, ContainerNovaComputeImage]}
|
|
cap_add:
|
|
- AUDIT_WRITE
|
|
net: host
|
|
privileged: true
|
|
user: root
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
|
|
- /etc/ssh:/host-ssh:ro
|
|
- /run/libvirt:/run/libvirt:shared,z
|
|
- /var/lib/nova:/var/lib/nova:shared
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
deploy_steps_tasks:
|
|
- name: nova migration target configure tasks
|
|
include_role:
|
|
name: tripleo_nova_migration_target
|
|
tasks_from: configure.yaml
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-nova
|
|
when:
|
|
- not container_healthcheck_disabled
|
|
- step|int == 5
|
|
update_tasks:
|
|
- name: nova-migration-target update
|
|
when: step|int == 1
|
|
include_role:
|
|
name: tripleo_nova_migration_target
|
|
tasks_from: update.yaml
|
|
upgrade_tasks:
|
|
- name: nova-migration-target upgrade
|
|
when: step|int == 1
|
|
include_role:
|
|
name: tripleo_nova_migration_target
|
|
tasks_from: upgrade.yaml
|