tripleo-heat-templates/deployment/nova/nova-libvirt-container-puppet.yaml
Martin Schuppert 86de3c3501 Disable tunneled mode when use_tls_for_live_migration
With recent version of libvirt, nova-compute don't come up
correct when tls-everywhere (use_tls_for_live_migration)
is set. The enable_live_migration_tunnelled condition
did not consider tls-livemigration and got disabled.
Nova-compute fails to start with:

2021-05-12 12:49:09.278 7 ERROR oslo_service.service nova.exception.Invalid: Setting both 'live_migration_tunnelled' and 'live_migration_with_native_tls' at the same time is invalid. If you have the relevant libvirt and QEMU versions, and TLS configured in your environment, pick 'live_migration_with_native_tls'._

This change enhance the enable_live_migration_tunnelled
condition to not configure tunnelled mode when
use_tls_for_live_migration is true.

Conflicts:
  - deployment/nova/nova-compute-container-puppet.yaml

NOTE(dvd):
- 91837d4fa7 Add new parameters to configure nova-compute direct rbd image download
- addcee106e Add ability to configure glance multiple cinder stores

Closes-Bug: #1928554
Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1959808

Change-Id: I1a6f5d3a98d185415b772fa6a94d6f4329dc59a0
(cherry picked from commit 3a472cbbe8)
(cherry picked from commit 4b1da5cd5b)
2021-05-17 09:40:23 -04:00

933 lines
38 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Libvirt Service
parameters:
ContainerNovaLibvirtImage:
description: image
type: string
# we configure libvirt via the nova-compute container due to coupling
# in the puppet modules
ContainerNovaLibvirtConfigImage:
description: The container image to use for the nova_libvirt config_volume
type: string
ContainerNovaLibvirtUlimit:
default: ['nofile=131072', 'nproc=126960']
description: ulimit for Nova Libvirt Container
type: comma_delimited_list
ContainerNovaLibvirtPidsLimit:
default: 65536
description: Tune nova_libvirt container PID limit (set to 0 for unlimited)
(defaults to 65536)
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForLiveMigration:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
CinderEnableRbdBackend:
default: false
description: Whether to enable or not the Rbd backend for Cinder
type: boolean
CephClientKey:
description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
type: string
hidden: true
constraints:
- allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
CephClusterFSID:
type: string
description: The Ceph cluster FSID. Must be a UUID.
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
UseTLSTransportForNbd:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt NBD and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSNbdCAFile:
default: '/etc/pki/qemu/ca-cert.pem'
type: string
description: Specifies the CA cert to use for NBD TLS.
InternalTLSVncCAFile:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
InternalTLSQemuCAFile:
default: '/etc/pki/CA/certs/qemu.pem'
type: string
description: Specifies the CA cert to use for qemu.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
LibvirtCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVNCServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtCACert:
type: string
default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
be less than 65K (so we can't use the system's CA bundle).
This parameter should be used if the default (which comes from
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
QemuCACert:
type: string
default: ''
description: This specifies the CA certificate to use for qemu.
This file will be symlinked to the default CA path,
which is /etc/pki/qemu/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSQemuCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtNbdCACert:
type: string
default: ''
description: This specifies the CA certificate to use for NBD TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-nbd/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSNbdCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
VhostuserSocketGroup:
default: "qemu"
description: >
The vhost-user socket directory group name.
Defaults to 'qemu'. When vhostuser mode is 'dpdkvhostuserclient'
(which is the default mode), the vhost socket is created by qemu.
type: string
tags:
- role_specific
QemuMemoryBackingDir:
type: string
description: >
Directory used for memoryBacking source if configured as file.
NOTE: big files will be stored here
default: ''
tags:
- role_specific
ContainerCli:
type: string
default: 'podman'
description: CLI tool used to manage containers.
constraints:
- allowed_values: ['docker', 'podman']
NovaComputeLibvirtType:
type: string
default: kvm
LibvirtEnabledPerfEvents:
type: comma_delimited_list
default: []
description: This is a performance event list which could be used as monitor.
For example - ``enabled_perf_events = cmt, mbml, mbmt``
The supported events list can be found in
https://libvirt.org/html/libvirt-libvirt-domain.html ,
which you may need to search key words ``VIR_PERF_PARAM_*``
MonitoringSubscriptionNovaLibvirt:
default: 'overcloud-nova-libvirt'
type: string
MigrationSshKey:
type: json
description: >
SSH key for migration.
Expects a dictionary with keys 'public_key' and 'private_key'.
Values should be identical to SSH public/private key files.
default:
public_key: ''
private_key: ''
MigrationSshPort:
default: 2022
description: Target port for migration over ssh
type: number
LibvirtTLSPassword:
description: The password for the libvirt service when TLS is enabled
type: string
hidden: true
QemuDefaultTLSVerify:
description: >
Whether to enable or disable TLS client certificate verification. Enabling this
option will reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem
default: true
type: boolean
LibvirtLogFilters:
description: Defines a filter in libvirt daemon to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:libvirt 1:qemu 1:conf 1:security 3:event 3:json 3:file 3:object 1:util'
LibvirtVirtlogdLogFilters:
description: Defines a filter in virtlogd to select a different
logging level for a given category log outputs, as specified
in https://libvirt.org/logging.html .
type: string
default: '1:logging 4:object 4:json 4:event 1:util'
LibvirtTLSPriority:
description: >
Override the compile time default TLS priority string.
type: string
default: 'NORMAL:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2'
NovaLibvirtOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
tags:
- role_specific
conditions:
use_tls_for_live_migration:
and:
- {get_param: EnableInternalTLS}
- {get_param: UseTLSTransportForLiveMigration}
libvirt_specific_ca_unset:
equals:
- {get_param: LibvirtCACert}
- ''
need_libvirt_secret:
or:
- equals:
- {get_param: [RoleParameters, NovaEnableRbdBackend]}
- true
- and:
- equals:
- {get_param: [RoleParameters, NovaEnableRbdBackend]}
- ''
- equals:
- {get_param: NovaEnableRbdBackend}
- true
- equals:
- {get_param: CinderEnableRbdBackend}
- true
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
memory_backing_dir_set:
not:
and:
- equals:
- {get_param: QemuMemoryBackingDir}
- ''
- equals:
- {get_param: [RoleParameters, QemuMemoryBackingDir]}
- ''
use_tls_for_nbd:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForNbd}
- true
libvirt_nbd_specific_ca_unset:
equals:
- {get_param: LibvirtNbdCACert}
- ''
qemu_specific_ca_unset:
equals:
- {get_param: QemuCACert}
- ''
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
resources:
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- vhostuser_socket_group: VhostuserSocketGroup
nova::compute::libvirt::qemu::memory_backing_dir: QemuMemoryBackingDir
nova_libvirt_opt_volumes: NovaLibvirtOptVolumes
- values: {get_param: [RoleParameters]}
- values:
VhostuserSocketGroup: {get_param: VhostuserSocketGroup}
QemuMemoryBackingDir: {get_param: QemuMemoryBackingDir}
NovaLibvirtOptVolumes: {get_param: NovaLibvirtOptVolumes}
ContainersCommon:
type: ../containers-common.yaml
NovaLibvirtLogging:
type: OS::TripleO::Services::Logging::NovaLibvirt
NovaBase:
type: ./nova-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Libvirt service.
value:
service_name: nova_libvirt
firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
- get_attr: [NovaLibvirtLogging, config_settings]
# we include ::nova::compute::libvirt::services in nova/libvirt profile
- nova::compute::libvirt::manage_libvirt_services: false
# we manage migration in nova common puppet profile
nova::compute::libvirt::migration_support: false
nova::compute::rbd::libvirt_images_rbd_ceph_conf:
list_join:
- ''
- - '/etc/ceph/'
- {get_param: CephClusterName}
- '.conf'
nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
nova::compute::rbd::rbd_keyring:
list_join:
- '.'
- - 'client'
- {get_param: CephClientUserName}
nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
tripleo::profile::base::nova::migration::client::libvirt_enabled: true
tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::virt_type: {get_param: NovaComputeLibvirtType}
nova::compute::libvirt::enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
nova::compute::libvirt::qemu::configure_qemu: true
nova::compute::libvirt::qemu::max_files: 32768
nova::compute::libvirt::qemu::max_processes: 131072
nova::migration::qemu::configure_qemu: true
nova::migration::qemu::migration_port_min: 61152
nova::migration::qemu::migration_port_max: 61215
nova::compute::libvirt::vncserver_listen:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
nova::compute::libvirt::virtlogd::log_filters: {get_param: LibvirtVirtlogdLogFilters}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
-
if:
- use_tls_for_live_migration
-
generate_service_certificates: true
tripleo::profile::base::nova::migration::client::libvirt_tls: true
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
nova::migration::libvirt::listen_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs:
libvirt-server-cert:
service_certificate: '/etc/pki/libvirt/servercert.pem'
service_key: '/etc/pki/libvirt/private/serverkey.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
libvirt-client-cert:
service_certificate: '/etc/pki/libvirt/clientcert.pem'
service_key: '/etc/pki/libvirt/private/clientkey.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtCertificateKeySize}
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
# is not enabled this allows us to enable it even at a later time without
# restart of instances
tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
tripleo::certmonger::ca::qemu::origin_ca_pem:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- get_param: QemuCACert
qemu_certificates_specs:
qemu-server-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/qemu/server-cert.pem'
service_key: '/etc/pki/qemu/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_server_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuServerCertificateKeySize}
qemu-nbd-client-cert:
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_client_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuClientCertificateKeySize}
-
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
-
if:
- use_tls_for_vnc
-
nova::compute::libvirt::qemu::vnc_tls: true
nova::compute::libvirt::qemu::vnc_tls_verify: true
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-server-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtVNCServerCertificateKeySize}
- {}
-
if:
- use_tls_for_nbd
-
nova::compute::libvirt::qemu::nbd_tls: true
nova::migration::libvirt::live_migration_with_native_tls: true
- {}
puppet_config:
config_volume: nova_libvirt
puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password
step_config: |
include tripleo::profile::base::nova::libvirt
config_image: {get_param: ContainerNovaLibvirtConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_libvirt.json:
command: /nova_libvirt_launcher.sh
config_files:
list_concat:
-
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions:
list_concat:
-
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
container_config_scripts:
nova_libvirt_launcher.sh:
mode: "0755"
content:
str_replace:
template: |
#!/bin/bash
set -xe
if [[ -f /usr/lib/systemd/kvm-setup ]]; then
/usr/lib/systemd/kvm-setup
fi
/usr/sbin/libvirtd LIBVIRTD_ARGS
params:
LIBVIRTD_ARGS:
if:
- use_tls_for_live_migration
- '--listen'
- ''
docker_config:
step_3:
nova_virtlogd:
start_order: 0
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
net: host
pid: host
security_opt: label=disable
privileged: true
restart: always
healthcheck:
test: '/openstack/healthcheck virtlogd'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
-
- /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /run/libvirt:/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
- /var/log/libvirt/qemu:/var/log/libvirt/qemu
- /var/lib/nova:/var/lib/nova:shared
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
nova_libvirt:
start_order: 1
image: {get_param: ContainerNovaLibvirtImage}
ulimit: {get_param: ContainerNovaLibvirtUlimit}
net: host
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
healthcheck:
test: '/openstack/healthcheck libvirtd'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaLibvirtLogging, volumes]}
- {get_attr: [RoleParametersValue, value, nova_libvirt_opt_volumes]}
-
- /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
- /var/lib/kolla/config_files/nova_libvirt.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- /var/lib/container-config-scripts/nova_libvirt_launcher.sh:/nova_libvirt_launcher.sh:ro
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- /lib/modules:/lib/modules:ro
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /etc/libvirt:/etc/libvirt
- /run/libvirt:/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
- /var/cache/libvirt:/var/cache/libvirt:shared
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
- /var/lib/vhost_sockets:/var/lib/vhost_sockets
- /var/lib/nova:/var/lib/nova:shared
- /sys/fs/selinux:/sys/fs/selinux
- /etc/selinux/config:/etc/selinux/config:ro
-
if:
- use_tls_for_live_migration
-
- /etc/pki/libvirt:/etc/pki/libvirt/:ro
- /etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro
- str_replace:
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- str_replace:
template: "CACERT:/etc/pki/qemu/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_nbd_specific_ca_unset
- get_param: InternalTLSNbdCAFile
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
- null
-
if:
- use_tls_for_vnc
-
- /etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro
- /etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro
- str_replace:
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- null
-
if:
- memory_backing_dir_set
-
- str_replace:
template: "MEMORY_BACKING_DIR:MEMORY_BACKING_DIR"
params:
MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_4:
if:
- need_libvirt_secret
- nova_libvirt_init_secret:
detach: false
image: {get_param: ContainerNovaLibvirtImage}
security_opt: label=disable
privileged: false
user: root
net: host
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
- /etc/libvirt:/etc/libvirt
- /run/libvirt:/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
command:
- /bin/bash
- -c
- str_replace:
template: /usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret 'SECRET_UUID' --base64 'SECRET_KEY'
params:
SECRET_UUID: {get_param: CephClusterFSID}
SECRET_KEY: {get_param: CephClientKey}
- {}
deploy_steps_tasks:
- name: validate nova-libvirt container state
podman_container_info:
name: nova_libvirt
register: nova_libvirt_infos
failed_when:
- nova_libvirt_infos.containers.0.Healthcheck.Status is defined
- "'healthy' not in nova_libvirt_infos.containers.0.Healthcheck.Status"
retries: 10
delay: 30
tags:
- opendev-validation
- opendev-validation-nova
when:
- container_cli == 'podman'
- not container_healthcheck_disabled
- step|int == 4
host_prep_tasks:
list_concat:
- {get_attr: [NovaLibvirtLogging, host_prep_tasks]}
- - name: create libvirt persistent data directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype | default(omit) }}"
with_items:
- { 'path': /etc/libvirt, 'setype': container_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': container_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': container_file_t }
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
- { 'path': /var/cache/libvirt }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- { 'path': /run/libvirt, 'setype': virt_var_run_t }
- { 'path': /var/log/libvirt, 'setype': container_file_t }
- { 'path': /var/log/libvirt/qemu, 'setype': container_file_t }
# qemu user on host will be cretaed by libvirt package install, ensure
# the qemu user created with same uid/gid as like libvirt package.
# These specific values are required since ovs is running on host.
# Once ovs with DPDK is containerized, we could modify this uid/gid
# to match with kolla config values.
- name: ensure qemu group is present on the host
group:
name: qemu
gid: 107
state: present
- name: ensure qemu user is present on the host
user:
name: qemu
uid: 107
group: qemu
state: present
shell: /sbin/nologin
comment: qemu user
- name: create directory for vhost-user sockets with qemu ownership
file:
path: /var/lib/vhost_sockets
state: directory
owner: qemu
group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
setype: virt_cache_t
seuser: system_u
- name: ensure ceph configurations exist
file:
path: /etc/ceph
state: directory
- name: check if libvirt is installed
command: /usr/bin/rpm -q libvirt-daemon
failed_when: false
register: libvirt_installed
check_mode: no
- name: make sure libvirt services are disabled and masked
service:
name: "{{ item }}"
state: stopped
enabled: no
masked: yes
daemon_reload: yes
with_items:
- libvirtd.service
- virtlogd.socket
when: libvirt_installed.rc == 0
- name: ensure /run/libvirt is present upon reboot
copy:
dest: /etc/tmpfiles.d/run-libvirt.conf
content: |
d /run/libvirt 0755 root root - -
metadata_settings:
list_concat:
- if:
- use_tls_for_live_migration
-
- service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: qemu
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null
- if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null
upgrade_tasks:
- name: nova_libvirt_container_tmpfile_cleanup
when: step|int == 1
block: &nova_libvirt_container_tmpfile_cleanup
- name: Remove old tmpfiles.d config
file:
path: /etc/tmpfiles.d/var-run-libvirt.conf
state: absent
update_tasks:
- name: nova_libvirt_container_tmpfile_cleanup
when: step|int == 1
block: *nova_libvirt_container_tmpfile_cleanup