86de3c3501
With recent version of libvirt, nova-compute don't come up correct when tls-everywhere (use_tls_for_live_migration) is set. The enable_live_migration_tunnelled condition did not consider tls-livemigration and got disabled. Nova-compute fails to start with: 2021-05-12 12:49:09.278 7 ERROR oslo_service.service nova.exception.Invalid: Setting both 'live_migration_tunnelled' and 'live_migration_with_native_tls' at the same time is invalid. If you have the relevant libvirt and QEMU versions, and TLS configured in your environment, pick 'live_migration_with_native_tls'._ This change enhance the enable_live_migration_tunnelled condition to not configure tunnelled mode when use_tls_for_live_migration is true. Conflicts: - deployment/nova/nova-compute-container-puppet.yaml NOTE(dvd): -91837d4fa7
Add new parameters to configure nova-compute direct rbd image download -addcee106e
Add ability to configure glance multiple cinder stores Closes-Bug: #1928554 Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1959808 Change-Id: I1a6f5d3a98d185415b772fa6a94d6f4329dc59a0 (cherry picked from commit3a472cbbe8
) (cherry picked from commit4b1da5cd5b
)
933 lines
38 KiB
YAML
933 lines
38 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Libvirt Service
|
|
|
|
parameters:
|
|
ContainerNovaLibvirtImage:
|
|
description: image
|
|
type: string
|
|
# we configure libvirt via the nova-compute container due to coupling
|
|
# in the puppet modules
|
|
ContainerNovaLibvirtConfigImage:
|
|
description: The container image to use for the nova_libvirt config_volume
|
|
type: string
|
|
ContainerNovaLibvirtUlimit:
|
|
default: ['nofile=131072', 'nproc=126960']
|
|
description: ulimit for Nova Libvirt Container
|
|
type: comma_delimited_list
|
|
ContainerNovaLibvirtPidsLimit:
|
|
default: 65536
|
|
description: Tune nova_libvirt container PID limit (set to 0 for unlimited)
|
|
(defaults to 65536)
|
|
type: number
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
UseTLSTransportForLiveMigration:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
set the libvirt URI's transport to tls and configure the
|
|
relevant keys for libvirt.
|
|
NovaEnableRbdBackend:
|
|
default: false
|
|
description: Whether to enable the Rbd backend for Nova ephemeral storage.
|
|
type: boolean
|
|
tags:
|
|
- role_specific
|
|
CinderEnableRbdBackend:
|
|
default: false
|
|
description: Whether to enable or not the Rbd backend for Cinder
|
|
type: boolean
|
|
CephClientKey:
|
|
description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
|
|
type: string
|
|
hidden: true
|
|
constraints:
|
|
- allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
|
|
CephClusterFSID:
|
|
type: string
|
|
description: The Ceph cluster FSID. Must be a UUID.
|
|
CephClientUserName:
|
|
default: openstack
|
|
type: string
|
|
CephClusterName:
|
|
type: string
|
|
default: ceph
|
|
description: The Ceph cluster name.
|
|
constraints:
|
|
- allowed_pattern: "[a-zA-Z0-9]+"
|
|
description: >
|
|
The Ceph cluster name must be at least 1 character and contain only
|
|
letters and numbers.
|
|
UseTLSTransportForVnc:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
enable TLS transaport for libvirt VNC and configure the
|
|
relevant keys for libvirt.
|
|
UseTLSTransportForNbd:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
enable TLS transaport for libvirt NBD and configure the
|
|
relevant keys for libvirt.
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
InternalTLSNbdCAFile:
|
|
default: '/etc/pki/qemu/ca-cert.pem'
|
|
type: string
|
|
description: Specifies the CA cert to use for NBD TLS.
|
|
InternalTLSVncCAFile:
|
|
default: '/etc/pki/CA/certs/vnc.crt'
|
|
type: string
|
|
description: Specifies the CA cert to use for VNC TLS.
|
|
InternalTLSQemuCAFile:
|
|
default: '/etc/pki/CA/certs/qemu.pem'
|
|
type: string
|
|
description: Specifies the CA cert to use for qemu.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
LibvirtCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
LibvirtVNCServerCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
QemuServerCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
QemuClientCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
LibvirtCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for TLS in libvirt.
|
|
This file will be symlinked to the default CA path in libvirt,
|
|
which is /etc/pki/CA/cacert.pem. Note that due to limitations
|
|
GNU TLS, which is the TLS backend for libvirt, the file must
|
|
be less than 65K (so we can't use the system's CA bundle).
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
QemuCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for qemu.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/qemu/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSQemuCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
LibvirtVncCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for VNC TLS.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
LibvirtNbdCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for NBD TLS.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/libvirt-nbd/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSNbdCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
VhostuserSocketGroup:
|
|
default: "qemu"
|
|
description: >
|
|
The vhost-user socket directory group name.
|
|
Defaults to 'qemu'. When vhostuser mode is 'dpdkvhostuserclient'
|
|
(which is the default mode), the vhost socket is created by qemu.
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
QemuMemoryBackingDir:
|
|
type: string
|
|
description: >
|
|
Directory used for memoryBacking source if configured as file.
|
|
NOTE: big files will be stored here
|
|
default: ''
|
|
tags:
|
|
- role_specific
|
|
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
NovaComputeLibvirtType:
|
|
type: string
|
|
default: kvm
|
|
LibvirtEnabledPerfEvents:
|
|
type: comma_delimited_list
|
|
default: []
|
|
description: This is a performance event list which could be used as monitor.
|
|
For example - ``enabled_perf_events = cmt, mbml, mbmt``
|
|
The supported events list can be found in
|
|
https://libvirt.org/html/libvirt-libvirt-domain.html ,
|
|
which you may need to search key words ``VIR_PERF_PARAM_*``
|
|
MonitoringSubscriptionNovaLibvirt:
|
|
default: 'overcloud-nova-libvirt'
|
|
type: string
|
|
MigrationSshKey:
|
|
type: json
|
|
description: >
|
|
SSH key for migration.
|
|
Expects a dictionary with keys 'public_key' and 'private_key'.
|
|
Values should be identical to SSH public/private key files.
|
|
default:
|
|
public_key: ''
|
|
private_key: ''
|
|
MigrationSshPort:
|
|
default: 2022
|
|
description: Target port for migration over ssh
|
|
type: number
|
|
LibvirtTLSPassword:
|
|
description: The password for the libvirt service when TLS is enabled
|
|
type: string
|
|
hidden: true
|
|
QemuDefaultTLSVerify:
|
|
description: >
|
|
Whether to enable or disable TLS client certificate verification. Enabling this
|
|
option will reject any client who does not have a certificate signed by the CA
|
|
in /etc/pki/qemu/ca-cert.pem
|
|
default: true
|
|
type: boolean
|
|
LibvirtLogFilters:
|
|
description: Defines a filter in libvirt daemon to select a different
|
|
logging level for a given category log outputs, as specified
|
|
in https://libvirt.org/logging.html .
|
|
type: string
|
|
default: '1:libvirt 1:qemu 1:conf 1:security 3:event 3:json 3:file 3:object 1:util'
|
|
LibvirtVirtlogdLogFilters:
|
|
description: Defines a filter in virtlogd to select a different
|
|
logging level for a given category log outputs, as specified
|
|
in https://libvirt.org/logging.html .
|
|
type: string
|
|
default: '1:logging 4:object 4:json 4:event 1:util'
|
|
LibvirtTLSPriority:
|
|
description: >
|
|
Override the compile time default TLS priority string.
|
|
type: string
|
|
default: 'NORMAL:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2'
|
|
NovaLibvirtOptVolumes:
|
|
default: []
|
|
description: list of optional volumes to be mounted
|
|
type: comma_delimited_list
|
|
tags:
|
|
- role_specific
|
|
|
|
conditions:
|
|
|
|
use_tls_for_live_migration:
|
|
and:
|
|
- {get_param: EnableInternalTLS}
|
|
- {get_param: UseTLSTransportForLiveMigration}
|
|
|
|
libvirt_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtCACert}
|
|
- ''
|
|
|
|
need_libvirt_secret:
|
|
or:
|
|
- equals:
|
|
- {get_param: [RoleParameters, NovaEnableRbdBackend]}
|
|
- true
|
|
- and:
|
|
- equals:
|
|
- {get_param: [RoleParameters, NovaEnableRbdBackend]}
|
|
- ''
|
|
- equals:
|
|
- {get_param: NovaEnableRbdBackend}
|
|
- true
|
|
- equals:
|
|
- {get_param: CinderEnableRbdBackend}
|
|
- true
|
|
|
|
use_tls_for_vnc:
|
|
and:
|
|
- equals:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
- equals:
|
|
- {get_param: UseTLSTransportForVnc}
|
|
- true
|
|
|
|
libvirt_vnc_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtVncCACert}
|
|
- ''
|
|
|
|
memory_backing_dir_set:
|
|
not:
|
|
and:
|
|
- equals:
|
|
- {get_param: QemuMemoryBackingDir}
|
|
- ''
|
|
- equals:
|
|
- {get_param: [RoleParameters, QemuMemoryBackingDir]}
|
|
- ''
|
|
|
|
use_tls_for_nbd:
|
|
and:
|
|
- equals:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
- equals:
|
|
- {get_param: UseTLSTransportForNbd}
|
|
- true
|
|
|
|
libvirt_nbd_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtNbdCACert}
|
|
- ''
|
|
|
|
qemu_specific_ca_unset:
|
|
equals:
|
|
- {get_param: QemuCACert}
|
|
- ''
|
|
|
|
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
|
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
|
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
|
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- vhostuser_socket_group: VhostuserSocketGroup
|
|
nova::compute::libvirt::qemu::memory_backing_dir: QemuMemoryBackingDir
|
|
nova_libvirt_opt_volumes: NovaLibvirtOptVolumes
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
VhostuserSocketGroup: {get_param: VhostuserSocketGroup}
|
|
QemuMemoryBackingDir: {get_param: QemuMemoryBackingDir}
|
|
NovaLibvirtOptVolumes: {get_param: NovaLibvirtOptVolumes}
|
|
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NovaLibvirtLogging:
|
|
type: OS::TripleO::Services::Logging::NovaLibvirt
|
|
|
|
NovaBase:
|
|
type: ./nova-base-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Libvirt service.
|
|
value:
|
|
service_name: nova_libvirt
|
|
firewall_rules:
|
|
'200 nova_libvirt':
|
|
dport:
|
|
- 16514
|
|
- '61152-61215'
|
|
- '5900-6923'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- get_attr: [RoleParametersValue, value]
|
|
- get_attr: [NovaLibvirtLogging, config_settings]
|
|
# we include ::nova::compute::libvirt::services in nova/libvirt profile
|
|
- nova::compute::libvirt::manage_libvirt_services: false
|
|
# we manage migration in nova common puppet profile
|
|
nova::compute::libvirt::migration_support: false
|
|
nova::compute::rbd::libvirt_images_rbd_ceph_conf:
|
|
list_join:
|
|
- ''
|
|
- - '/etc/ceph/'
|
|
- {get_param: CephClusterName}
|
|
- '.conf'
|
|
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
|
|
nova::compute::rbd::rbd_keyring:
|
|
list_join:
|
|
- '.'
|
|
- - 'client'
|
|
- {get_param: CephClientUserName}
|
|
nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
|
|
nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
|
|
tripleo::profile::base::nova::migration::client::libvirt_enabled: true
|
|
tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
|
|
tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
|
|
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
|
|
nova::compute::libvirt::virt_type: {get_param: NovaComputeLibvirtType}
|
|
nova::compute::libvirt::enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
|
|
nova::compute::libvirt::qemu::configure_qemu: true
|
|
nova::compute::libvirt::qemu::max_files: 32768
|
|
nova::compute::libvirt::qemu::max_processes: 131072
|
|
nova::migration::qemu::configure_qemu: true
|
|
nova::migration::qemu::migration_port_min: 61152
|
|
nova::migration::qemu::migration_port_max: 61215
|
|
nova::compute::libvirt::vncserver_listen:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
|
|
nova::compute::libvirt::virtlogd::log_filters: {get_param: LibvirtVirtlogdLogFilters}
|
|
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
|
|
-
|
|
if:
|
|
- use_tls_for_live_migration
|
|
-
|
|
generate_service_certificates: true
|
|
tripleo::profile::base::nova::migration::client::libvirt_tls: true
|
|
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
|
|
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
|
|
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
|
|
nova::migration::libvirt::listen_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
nova::migration::libvirt::live_migration_inbound_addr:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
tripleo::certmonger::ca::libvirt::origin_ca_pem:
|
|
if:
|
|
- libvirt_specific_ca_unset
|
|
- get_param: InternalTLSCAFile
|
|
- get_param: LibvirtCACert
|
|
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
|
|
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
|
|
libvirt_certificates_specs:
|
|
libvirt-server-cert:
|
|
service_certificate: '/etc/pki/libvirt/servercert.pem'
|
|
service_key: '/etc/pki/libvirt/private/serverkey.pem'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
libvirt-client-cert:
|
|
service_certificate: '/etc/pki/libvirt/clientcert.pem'
|
|
service_key: '/etc/pki/libvirt/private/clientkey.pem'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_libvirtvnc_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: LibvirtCertificateKeySize}
|
|
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
|
# is not enabled this allows us to enable it even at a later time without
|
|
# restart of instances
|
|
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
|
|
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
|
|
tripleo::certmonger::ca::qemu::origin_ca_pem:
|
|
if:
|
|
- qemu_specific_ca_unset
|
|
- get_param: InternalTLSQemuCAFile
|
|
- get_param: QemuCACert
|
|
qemu_certificates_specs:
|
|
qemu-server-cert:
|
|
cacertfile:
|
|
if:
|
|
- qemu_specific_ca_unset
|
|
- get_param: InternalTLSQemuCAFile
|
|
- null
|
|
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
|
service_key: '/etc/pki/qemu/server-key.pem'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_qemu_server_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: QemuServerCertificateKeySize}
|
|
qemu-nbd-client-cert:
|
|
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
|
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_qemu_client_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: QemuClientCertificateKeySize}
|
|
-
|
|
nova::migration::libvirt::live_migration_inbound_addr:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
-
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
nova::compute::libvirt::qemu::vnc_tls: true
|
|
nova::compute::libvirt::qemu::vnc_tls_verify: true
|
|
generate_service_certificates: true
|
|
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- get_param: LibvirtVncCACert
|
|
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
|
libvirt_vnc_certificates_specs:
|
|
libvirt-vnc-server-cert:
|
|
cacertfile:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- null
|
|
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
|
|
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
key_size:
|
|
if:
|
|
- key_size_libvirtvnc_override_unset
|
|
- {get_param: CertificateKeySize}
|
|
- {get_param: LibvirtVNCServerCertificateKeySize}
|
|
- {}
|
|
-
|
|
if:
|
|
- use_tls_for_nbd
|
|
-
|
|
nova::compute::libvirt::qemu::nbd_tls: true
|
|
nova::migration::libvirt::live_migration_with_native_tls: true
|
|
- {}
|
|
puppet_config:
|
|
config_volume: nova_libvirt
|
|
puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password
|
|
step_config: |
|
|
include tripleo::profile::base::nova::libvirt
|
|
config_image: {get_param: ContainerNovaLibvirtConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/nova_libvirt.json:
|
|
command: /nova_libvirt_launcher.sh
|
|
config_files:
|
|
list_concat:
|
|
-
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
- source: "/var/lib/kolla/config_files/src-ceph/"
|
|
dest: "/etc/ceph/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
list_concat:
|
|
-
|
|
- path:
|
|
str_replace:
|
|
template: /etc/ceph/CLUSTER.client.USER.keyring
|
|
params:
|
|
CLUSTER: {get_param: CephClusterName}
|
|
USER: {get_param: CephClientUserName}
|
|
owner: nova:nova
|
|
perm: '0600'
|
|
/var/lib/kolla/config_files/nova_virtlogd.json:
|
|
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
container_config_scripts:
|
|
nova_libvirt_launcher.sh:
|
|
mode: "0755"
|
|
content:
|
|
str_replace:
|
|
template: |
|
|
#!/bin/bash
|
|
set -xe
|
|
if [[ -f /usr/lib/systemd/kvm-setup ]]; then
|
|
/usr/lib/systemd/kvm-setup
|
|
fi
|
|
/usr/sbin/libvirtd LIBVIRTD_ARGS
|
|
params:
|
|
LIBVIRTD_ARGS:
|
|
if:
|
|
- use_tls_for_live_migration
|
|
- '--listen'
|
|
- ''
|
|
docker_config:
|
|
step_3:
|
|
nova_virtlogd:
|
|
start_order: 0
|
|
image: {get_param: ContainerNovaLibvirtImage}
|
|
ulimit: {get_param: ContainerNovaLibvirtUlimit}
|
|
net: host
|
|
pid: host
|
|
security_opt: label=disable
|
|
privileged: true
|
|
restart: always
|
|
healthcheck:
|
|
test: '/openstack/healthcheck virtlogd'
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaLibvirtLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /dev:/dev
|
|
- /run:/run
|
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
|
- /run/libvirt:/run/libvirt:shared
|
|
- /var/lib/libvirt:/var/lib/libvirt
|
|
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
|
|
- /var/log/libvirt/qemu:/var/log/libvirt/qemu
|
|
- /var/lib/nova:/var/lib/nova:shared
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
nova_libvirt:
|
|
start_order: 1
|
|
image: {get_param: ContainerNovaLibvirtImage}
|
|
ulimit: {get_param: ContainerNovaLibvirtUlimit}
|
|
net: host
|
|
pid: host
|
|
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
|
|
privileged: true
|
|
security_opt:
|
|
- label=level:s0
|
|
- label=type:spc_t
|
|
- label=filetype:container_share_t
|
|
restart: always
|
|
depends_on:
|
|
- tripleo_nova_virtlogd.service
|
|
healthcheck:
|
|
test: '/openstack/healthcheck libvirtd'
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaLibvirtLogging, volumes]}
|
|
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
|
|
-
|
|
- /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
|
|
- /var/lib/kolla/config_files/nova_libvirt.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/container-config-scripts/nova_libvirt_launcher.sh:/nova_libvirt_launcher.sh:ro
|
|
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /dev:/dev
|
|
- /run:/run
|
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
|
- /etc/libvirt:/etc/libvirt
|
|
- /run/libvirt:/run/libvirt:shared
|
|
- /var/lib/libvirt:/var/lib/libvirt:shared
|
|
- /var/cache/libvirt:/var/cache/libvirt:shared
|
|
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
|
|
- /var/lib/vhost_sockets:/var/lib/vhost_sockets
|
|
- /var/lib/nova:/var/lib/nova:shared
|
|
- /sys/fs/selinux:/sys/fs/selinux
|
|
- /etc/selinux/config:/etc/selinux/config:ro
|
|
-
|
|
if:
|
|
- use_tls_for_live_migration
|
|
-
|
|
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
|
|
- /etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro
|
|
- str_replace:
|
|
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
|
params:
|
|
CACERT:
|
|
if:
|
|
- libvirt_specific_ca_unset
|
|
- get_param: InternalTLSCAFile
|
|
- get_param: LibvirtCACert
|
|
- str_replace:
|
|
template: "CACERT:/etc/pki/qemu/ca-cert.pem:ro"
|
|
params:
|
|
CACERT:
|
|
if:
|
|
- libvirt_nbd_specific_ca_unset
|
|
- get_param: InternalTLSNbdCAFile
|
|
- get_param: LibvirtNbdCACert
|
|
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
|
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
|
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
|
|
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
|
|
- null
|
|
-
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
|
|
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
|
|
- str_replace:
|
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
|
params:
|
|
CACERT:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- get_param: LibvirtVncCACert
|
|
- null
|
|
-
|
|
if:
|
|
- memory_backing_dir_set
|
|
-
|
|
- str_replace:
|
|
template: "MEMORY_BACKING_DIR:MEMORY_BACKING_DIR"
|
|
params:
|
|
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
step_4:
|
|
if:
|
|
- need_libvirt_secret
|
|
- nova_libvirt_init_secret:
|
|
detach: false
|
|
image: {get_param: ContainerNovaLibvirtImage}
|
|
security_opt: label=disable
|
|
privileged: false
|
|
user: root
|
|
net: host
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
|
|
- /etc/libvirt:/etc/libvirt
|
|
- /run/libvirt:/run/libvirt:shared
|
|
- /var/lib/libvirt:/var/lib/libvirt:shared
|
|
command:
|
|
- /bin/bash
|
|
- -c
|
|
- str_replace:
|
|
template: /usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret 'SECRET_UUID' --base64 'SECRET_KEY'
|
|
params:
|
|
SECRET_UUID: {get_param: CephClusterFSID}
|
|
SECRET_KEY: {get_param: CephClientKey}
|
|
- {}
|
|
deploy_steps_tasks:
|
|
- name: validate nova-libvirt container state
|
|
podman_container_info:
|
|
name: nova_libvirt
|
|
register: nova_libvirt_infos
|
|
failed_when:
|
|
- nova_libvirt_infos.containers.0.Healthcheck.Status is defined
|
|
- "'healthy' not in nova_libvirt_infos.containers.0.Healthcheck.Status"
|
|
retries: 10
|
|
delay: 30
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-nova
|
|
when:
|
|
- container_cli == 'podman'
|
|
- not container_healthcheck_disabled
|
|
- step|int == 4
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NovaLibvirtLogging, host_prep_tasks]}
|
|
- - name: create libvirt persistent data directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype | default(omit) }}"
|
|
with_items:
|
|
- { 'path': /etc/libvirt, 'setype': container_file_t }
|
|
- { 'path': /etc/libvirt/secrets, 'setype': container_file_t }
|
|
- { 'path': /etc/libvirt/qemu, 'setype': container_file_t }
|
|
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
|
|
- { 'path': /var/cache/libvirt }
|
|
- { 'path': /var/lib/nova, 'setype': container_file_t }
|
|
- { 'path': /run/libvirt, 'setype': virt_var_run_t }
|
|
- { 'path': /var/log/libvirt, 'setype': container_file_t }
|
|
- { 'path': /var/log/libvirt/qemu, 'setype': container_file_t }
|
|
# qemu user on host will be cretaed by libvirt package install, ensure
|
|
# the qemu user created with same uid/gid as like libvirt package.
|
|
# These specific values are required since ovs is running on host.
|
|
# Once ovs with DPDK is containerized, we could modify this uid/gid
|
|
# to match with kolla config values.
|
|
- name: ensure qemu group is present on the host
|
|
group:
|
|
name: qemu
|
|
gid: 107
|
|
state: present
|
|
- name: ensure qemu user is present on the host
|
|
user:
|
|
name: qemu
|
|
uid: 107
|
|
group: qemu
|
|
state: present
|
|
shell: /sbin/nologin
|
|
comment: qemu user
|
|
- name: create directory for vhost-user sockets with qemu ownership
|
|
file:
|
|
path: /var/lib/vhost_sockets
|
|
state: directory
|
|
owner: qemu
|
|
group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
|
|
setype: virt_cache_t
|
|
seuser: system_u
|
|
- name: ensure ceph configurations exist
|
|
file:
|
|
path: /etc/ceph
|
|
state: directory
|
|
- name: check if libvirt is installed
|
|
command: /usr/bin/rpm -q libvirt-daemon
|
|
failed_when: false
|
|
register: libvirt_installed
|
|
check_mode: no
|
|
- name: make sure libvirt services are disabled and masked
|
|
service:
|
|
name: "{{ item }}"
|
|
state: stopped
|
|
enabled: no
|
|
masked: yes
|
|
daemon_reload: yes
|
|
with_items:
|
|
- libvirtd.service
|
|
- virtlogd.socket
|
|
when: libvirt_installed.rc == 0
|
|
- name: ensure /run/libvirt is present upon reboot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/run-libvirt.conf
|
|
content: |
|
|
d /run/libvirt 0755 root root - -
|
|
metadata_settings:
|
|
list_concat:
|
|
- if:
|
|
- use_tls_for_live_migration
|
|
-
|
|
- service: libvirt
|
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
type: node
|
|
- service: qemu
|
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
type: node
|
|
- null
|
|
- if:
|
|
- use_tls_for_vnc
|
|
-
|
|
- service: libvirt-vnc
|
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
type: node
|
|
- null
|
|
upgrade_tasks:
|
|
- name: nova_libvirt_container_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: &nova_libvirt_container_tmpfile_cleanup
|
|
- name: Remove old tmpfiles.d config
|
|
file:
|
|
path: /etc/tmpfiles.d/var-run-libvirt.conf
|
|
state: absent
|
|
update_tasks:
|
|
- name: nova_libvirt_container_tmpfile_cleanup
|
|
when: step|int == 1
|
|
block: *nova_libvirt_container_tmpfile_cleanup
|