tripleo-heat-templates/docker/services/nova-compute.yaml
Tony Breeds 27e547c07b Increase the default memlock to 64MiB via `DockerNovaComputeUlimit`.
This builds on I0fb688bfe03cd0459f6f74ca37e3e6c913b0cbcb to raise the
ulimit for locked memory on nova containers[1].  This is needed because
of [2] where the transient container nova_cell_v2_discover_hosts fails
with permission denied on ppc64le

Note: this is a limit maximum not a pre-allocation so for existing
containers and architectures the impact is expected to be a no-op.

[1] Currently nova_compute and nova_cell_v2_discover_hosts
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1709564

Conflicts:
    deployment/nova/nova-compute-container-puppet.yaml

Change-Id: I6d68431fd3c66c9496a36d3cfa9c2efe57e2ed99
(cherry picked from commit 6ce5989e49)
(cherry picked from commit 1293c460e9)
(cherry picked from commit 44e018c40a)
2019-07-11 09:23:16 +02:00

392 lines
15 KiB
YAML

heat_template_version: queens
description: >
OpenStack containerized Nova Compute service
parameters:
DockerNovaComputeImage:
description: image
type: string
DockerNovaLibvirtConfigImage:
description: The container image to use for the nova_libvirt config_volume
type: string
DockerNovaComputeUlimit:
default: ['nofile=131072', 'memlock=67108864']
description: ulimit for Nova Compute Container
type: comma_delimited_list
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
DockerNovaMigrationSshdPort:
default: 2022
description: Port that dockerized nova migration target sshd service
binds to.
type: number
UpgradeLevelNovaCompute:
type: string
description: Nova Compute upgrade level
default: ''
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
NovaComputeOptVolumes:
default: []
description: list of optional vo
type: comma_delimited_list
NovaComputeOptEnvVars:
default: []
description: list of optional en
type: comma_delimited_list
EnableInstanceHA:
default: false
description: Whether to enable an Instance Ha configurarion or not.
This setup requires the Compute role to have the
PacemakerRemote service added to it.
type: boolean
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
NovaComputeCommon:
type: ./nova-compute-common.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaComputeBase:
type: ../../puppet/services/nova-compute.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaLogging:
type: OS::TripleO::Services::Logging::NovaCommon
properties:
DockerNovaImage: {get_param: DockerNovaComputeImage}
NovaServiceName: 'compute'
conditions:
enable_instance_ha: {equals: [{get_param: EnableInstanceHA}, true]}
outputs:
role_data:
description: Role data for the Nova Compute service.
value:
service_name: {get_attr: [NovaComputeBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [NovaComputeBase, role_data, config_settings]
- get_attr: [NovaLogging, config_settings]
logging_source: {get_attr: [NovaComputeBase, role_data, logging_source]}
logging_groups: {get_attr: [NovaComputeBase, role_data, logging_groups]}
service_config_settings: {get_attr: [NovaComputeBase, role_data, service_config_settings]}
puppet_config:
config_volume: nova_libvirt
puppet_tags: nova_config,nova_paste_api_ini
step_config:
list_join:
- "\n"
- - {get_attr: [NovaComputeBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_compute.json:
command:
list_join:
- ' '
- - if:
- enable_instance_ha
- /var/lib/nova/instanceha/check-run-nova-compute
- /usr/bin/nova-compute
- get_attr: [NovaLogging, cmd_extra_args]
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-iscsid/*"
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
docker_config_scripts: {get_attr: [NovaComputeCommon, docker_config_scripts]}
docker_config:
step_2:
get_attr: [NovaLogging, docker_config, step_2]
step_3:
nova_statedir_owner:
image: &nova_compute_image {get_param: DockerNovaComputeImage}
user: root
privileged: false
detach: false
volumes:
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/docker-config-scripts/:/docker-config-scripts/
command: "/docker-config-scripts/nova_statedir_ownership.py"
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
step_4:
map_merge:
- nova_wait_for_placement_service:
start_order: 2
image: *nova_compute_image
user: nova
net: host
privileged: false
detach: false
volumes:
- /var/lib/docker-config-scripts/:/docker-config-scripts/
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
command: "/docker-config-scripts/nova_wait_for_placement_service.py"
- nova_compute:
start_order: 3
image: *nova_compute_image
ulimit: {get_param: DockerNovaComputeUlimit}
ipc: host
net: host
privileged: true
user: nova
restart: always
healthcheck:
test:
list_join:
- ' '
- - '/openstack/healthcheck'
- yaql:
expression: str($.data.port)
data:
port: {get_attr: [NovaComputeBase, role_data, config_settings, 'nova::rabbit_port']}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLogging, volumes]}
- {get_param: NovaComputeOptVolumes}
-
- /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- /dev:/dev
- /lib/modules:/lib/modules:ro
- /run:/run
- /var/lib/iscsi:/var/lib/iscsi
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/libvirt:/var/lib/libvirt
- /sys/class/net:/sys/class/net
- /sys/bus/pci:/sys/bus/pci
environment:
list_concat:
- {get_param: NovaComputeOptEnvVars}
-
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- nova_wait_for_compute_service:
start_order: 4
image: *nova_compute_image
net: host
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
- /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/docker-config-scripts/:/docker-config-scripts/
user: nova
command: "/docker-config-scripts/nova_wait_for_compute_service.py"
step_5:
nova_cell_v2_discover_hosts:
start_order: 0
image: *nova_compute_image
net: host
detach: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
- /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/docker-config-scripts/:/docker-config-scripts/
user: root
command: "/usr/bin/bootstrap_host_exec nova_compute su nova -s /bin/bash -c '/docker-config-scripts/nova_cell_v2_discover_hosts.py'"
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
- list_join:
- ''
- - 'TRIPLEO_DEPLOY_IDENTIFIER='
- {get_param: DeployIdentifier}
host_prep_tasks:
list_concat:
- {get_attr: [NovaLogging, host_prep_tasks]}
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
- - name: create persistent directories
file:
path: "{{ item }}"
state: directory
with_items:
- /var/lib/nova
- /var/lib/nova/instances
- /var/lib/libvirt
- name: ensure ceph configurations exist
file:
path: /etc/ceph
state: directory
- name: is Instance HA enabled
set_fact:
instance_ha_enabled: {get_param: EnableInstanceHA}
- name: install Instance HA recovery script
when: instance_ha_enabled|bool
block:
- name: prepare Instance HA script directory
file:
path: /var/lib/nova/instanceha
state: directory
- name: install Instance HA script that runs nova-compute
copy:
content: {get_file: ../../extraconfig/tasks/instanceha/check-run-nova-compute}
dest: /var/lib/nova/instanceha/check-run-nova-compute
mode: 0755
- name: Get list of instance HA compute nodes
command: hiera -c /etc/puppet/hiera.yaml compute_instanceha_short_node_names
register: iha_nodes
- name: If instance HA is enabled on the node activate the evacuation completed check
file: path=/var/lib/nova/instanceha/enabled state=touch
when: iha_nodes.stdout|lower | search('"'+ansible_hostname|lower+'"')
upgrade_tasks:
- when: step|int == 0
tags: common
block:
- name: Check if nova_compute is deployed
command: systemctl is-enabled --quiet openstack-nova-compute
ignore_errors: True
register: nova_compute_enabled_result
- name: Set fact nova_compute_enabled
set_fact:
nova_compute_enabled: "{{ nova_compute_enabled_result.rc == 0 }}"
- when: step|int == 1
block:
- name: Set compute upgrade level to auto
ini_file:
str_replace:
template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL"
params:
LEVEL: {get_param: UpgradeLevelNovaCompute}
- when: step|int == 2
block:
- name: Stop and disable nova-compute service
when: nova_compute_enabled|bool
service: name=openstack-nova-compute state=stopped enabled=no
- name: Remove openstack-nova-compute and python-nova package during upgrade
package: name={{ item }} state=removed
with_items:
- openstack-nova-compute
- python-nova
ignore_errors: True
update_tasks:
- name: Remove openstack-nova-compute and python-nova package during update
package: name={{ item }} state=removed
with_items:
- openstack-nova-compute
- python-nova
ignore_errors: True
when: step|int == 2
fast_forward_upgrade_tasks:
- name: Check if nova-compute is deployed
command: systemctl is-enabled --quiet openstack-nova-compute
ignore_errors: True
register: nova_compute_enabled_result
when:
- step|int == 0
- release == 'ocata'
- name: Set fact nova_compute_enabled
set_fact:
nova_compute_enabled: "{{ nova_compute_enabled_result.rc == 0 }}"
when:
- step|int == 0
- release == 'ocata'
- name: Stop and disable nova-compute service
service: name=openstack-nova-compute state=stopped
when:
- step|int == 1
- nova_compute_enabled|bool
- release == 'ocata'
- name: Set upgrade marker in nova statedir
when:
- step|int == 1
- nova_compute_enabled|bool
- release == 'ocata'
file: path=/var/lib/nova/upgrade_marker state=touch owner=nova group=nova