![ramishra](/assets/img/avatar_default.png)
This was mainly there as an legacy interface which was for internal use. Now that we pull the passwords from the existing environment and don't use it, we can drop this. Reduces a number of heat resources. Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
240 lines
8.9 KiB
YAML
240 lines
8.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Neutron Metadata agent
|
|
|
|
parameters:
|
|
ContainerNeutronMetadataImage:
|
|
description: image
|
|
type: string
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
NeutronMetadataAgentLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.agent.metadata
|
|
file: /var/log/containers/neutron/metadata-agent.log
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
NeutronWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of worker processes for the neutron metadata agent. The
|
|
default value results in the configuration being left unset and a
|
|
system-dependent default will be chosen (usually the number of
|
|
processors). Please note that this can result in a large number of
|
|
processes and memory consumption on systems with a large core count. On
|
|
such systems it is recommended that a non-default value be selected that
|
|
matches the load requirements.
|
|
type: string
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionNeutronMetadata:
|
|
default: 'overcloud-neutron-metadata'
|
|
type: string
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
NeutronMetadataAgentDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging for Neutron Metadata agent.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
|
|
service_debug_unset: {equals: [{get_param: NeutronMetadataAgentDebug}, '']}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ./neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: metadata-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for Neutron Metadata agent
|
|
value:
|
|
service_name: neutron_metadata
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
|
|
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
neutron::agents::metadata::auth_tenant: 'service'
|
|
neutron::agents::metadata::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug}
|
|
- {get_param: NeutronMetadataAgentDebug}
|
|
neutron::agents::metadata::metadata_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('cloud_name_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
neutron::agents::metadata::metadata_protocol:
|
|
if:
|
|
- internal_tls_enabled
|
|
- 'https'
|
|
- 'http'
|
|
-
|
|
if:
|
|
- neutron_workers_unset
|
|
- {}
|
|
- neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
|
|
-
|
|
if:
|
|
- is_neutron_shared_metadata_notempty
|
|
- neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
|
- {}
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, service_config_settings]
|
|
- rsyslog:
|
|
tripleo_logging_sources_neutron_metadata:
|
|
- {get_param: NeutronMetadataAgentLoggingSource}
|
|
puppet_config:
|
|
puppet_tags: neutron_config,neutron_metadata_agent_config
|
|
config_volume: neutron
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::metadata
|
|
config_image: {get_param: ContainerNeutronConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/neutron_metadata_agent.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
docker_config:
|
|
step_4:
|
|
neutron_metadata_agent:
|
|
start_order: 10
|
|
image: {get_param: ContainerNeutronMetadataImage}
|
|
net: host
|
|
pid: host
|
|
privileged: true
|
|
restart: always
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [NeutronBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
setype: container_file_t
|
|
- name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
upgrade_tasks: []
|
|
post_upgrade_tasks:
|
|
- name: Check for neutron user
|
|
getent:
|
|
database: passwd
|
|
key: neutron
|
|
fail_key: false
|
|
- name: Set neutron_user_avail
|
|
set_fact:
|
|
neutron_user_avail: "{{ getent_passwd is defined }}"
|
|
- when:
|
|
- step|int == 2
|
|
- neutron_user_avail|bool
|
|
block:
|
|
- name: Ensure r/w access for existing files after upgrade
|
|
become: true
|
|
shell: |
|
|
umask 0002
|
|
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
|
|
setfacl -R -m u:neutron:rw /var/lib/neutron
|
|
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
|
|
- name: Provide access to domain sockets
|
|
become: true
|
|
shell: |
|
|
umask 0002
|
|
setfacl -m u:neutron:rwx "{{ item }}"
|
|
with_items:
|
|
- /var/lib/neutron/metadata_proxy
|
|
- /var/lib/neutron/keepalived-state-change
|
|
- /var/lib/neutron
|
|
# These files are not necessarily present
|
|
failed_when: false
|