3a7baa8fa6
Since https://review.openstack.org/#/c/514707/ added the net_ip_map to hieradata, we can look up the per-network bind IPs via hiera interpolation instead of heat map_replace. In some cases the ServiceNetMap lookup is used for other things, but anywhere we make use of the "magic" translation via NetIpMap is changed the same way. This will enable more of the configuration data to be exposed per role vs per node in a future patch (to simplify our ansible workflow). Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com> Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
380 lines
15 KiB
YAML
380 lines
15 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack Glance API service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
GlanceDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Glance service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
GlancePassword:
|
|
description: The password for the glance service and db account, used by the glance services.
|
|
type: string
|
|
hidden: true
|
|
GlanceWorkers:
|
|
default: ''
|
|
description: |
|
|
Number of API worker processes for Glance. If left unset (empty string), the
|
|
default value will result in the configuration being left unset and a
|
|
system-dependent default value will be chosen (e.g.: number of
|
|
processors). Please note that this will create a large number of
|
|
processes on systems with a large number of CPUs resulting in excess
|
|
memory consumption. It is recommended that a suitable non-default value
|
|
be selected on such systems.
|
|
type: string
|
|
MonitoringSubscriptionGlanceApi:
|
|
default: 'overcloud-glance-api'
|
|
type: string
|
|
GlanceApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.glance.api
|
|
path: /var/log/glance/api.log
|
|
GlanceImageMemberQuota:
|
|
default: 128
|
|
description: |
|
|
Maximum number of image members per image.
|
|
Negative values evaluate to unlimited.
|
|
type: number
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CephClientUserName:
|
|
default: openstack
|
|
type: string
|
|
CephClusterName:
|
|
type: string
|
|
default: ceph
|
|
description: The Ceph cluster name.
|
|
constraints:
|
|
- allowed_pattern: "[a-zA-Z0-9]+"
|
|
description: >
|
|
The Ceph cluster name must be at least 1 character and contain only
|
|
letters and numbers.
|
|
GlanceNotifierStrategy:
|
|
description: Strategy to use for Glance notification queue
|
|
type: string
|
|
default: noop
|
|
GlanceLogFile:
|
|
description: The filepath of the file to use for logging messages from Glance.
|
|
type: string
|
|
default: ''
|
|
GlanceBackend:
|
|
default: swift
|
|
description: The short name of the Glance backend to use. Should be one
|
|
of swift, rbd, cinder, or file
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['swift', 'file', 'rbd', 'cinder']
|
|
GlanceNfsEnabled:
|
|
default: false
|
|
description: >
|
|
When using GlanceBackend 'file', mount NFS share for image storage.
|
|
type: boolean
|
|
GlanceNfsShare:
|
|
default: ''
|
|
description: >
|
|
NFS share to mount for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceNetappNfsEnabled:
|
|
default: false
|
|
description: >
|
|
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
|
|
type: boolean
|
|
NetappShareLocation:
|
|
default: ''
|
|
description: >
|
|
Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
|
|
type: string
|
|
GlanceNfsOptions:
|
|
default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
|
|
description: >
|
|
NFS mount options for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceRbdPoolName:
|
|
default: images
|
|
type: string
|
|
NovaEnableRbdBackend:
|
|
default: false
|
|
description: Whether to enable or not the Rbd backend for Nova
|
|
type: boolean
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
GlanceApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Glance API.
|
|
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
NotificationDriver:
|
|
type: string
|
|
default: 'messagingv2'
|
|
description: Driver or drivers to handle sending notifications.
|
|
constraints:
|
|
- allowed_values: [ 'messagingv2', 'noop' ]
|
|
|
|
conditions:
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
|
|
service_debug_unset: {equals : [{get_param: GlanceDebug}, '']}
|
|
glance_multiple_locations:
|
|
and:
|
|
- equals:
|
|
- get_param: GlanceBackend
|
|
- rbd
|
|
- equals:
|
|
- get_param: NovaEnableRbdBackend
|
|
- true
|
|
|
|
resources:
|
|
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Glance API role.
|
|
value:
|
|
service_name: glance_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
- glance::api::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: glance
|
|
password: {get_param: GlancePassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /glance
|
|
query:
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
|
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
glance::api::enable_v1_api: false
|
|
glance::api::enable_v2_api: true
|
|
glance::api::authtoken::password: {get_param: GlancePassword}
|
|
glance::api::enable_proxy_headers_parsing: true
|
|
glance::api::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: GlanceDebug }
|
|
glance::policy::policies: {get_param: GlanceApiPolicies}
|
|
tripleo.glance_api.firewall_rules:
|
|
'112 glance_api':
|
|
dport:
|
|
- 9292
|
|
- 13292
|
|
glance::api::authtoken::project_name: 'service'
|
|
glance::keystone::authtoken::user_domain_name: 'Default'
|
|
glance::keystone::authtoken::project_domain_name: 'Default'
|
|
glance::api::pipeline: 'keystone'
|
|
glance::api::show_image_direct_url: true
|
|
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
|
|
glance::api::os_region_name: {get_param: KeystoneRegion}
|
|
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
tripleo::profile::base::glance::api::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
tripleo::profile::base::glance::api::tls_proxy_port:
|
|
get_param: [EndpointMap, GlanceInternal, port]
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
|
# proxy in front.
|
|
glance::api::bind_host:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
|
|
glance_log_file: {get_param: GlanceLogFile}
|
|
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
|
|
glance::backend::swift::swift_store_user: service:glance
|
|
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
|
|
glance::backend::swift::swift_store_create_container_on_put: true
|
|
glance::backend::swift::swift_store_auth_version: 3
|
|
glance::backend::rbd::rbd_store_ceph_conf:
|
|
list_join:
|
|
- ''
|
|
- - '/etc/ceph/'
|
|
- {get_param: CephClusterName}
|
|
- '.conf'
|
|
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
|
|
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
|
|
glance_backend: {get_param: GlanceBackend}
|
|
glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
|
|
glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
|
|
glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
|
|
glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver}
|
|
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
|
|
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
|
|
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
|
|
-
|
|
if:
|
|
- glance_workers_unset
|
|
- {}
|
|
- glance::api::workers: {get_param: GlanceWorkers}
|
|
service_config_settings:
|
|
fluentd:
|
|
tripleo_fluentd_groups_glance_api:
|
|
- glance
|
|
tripleo_fluentd_sources_glance_api:
|
|
- {get_param: GlanceApiLoggingSource}
|
|
keystone:
|
|
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
|
|
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
|
|
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
|
|
glance::keystone::auth::password: {get_param: GlancePassword }
|
|
glance::keystone::auth::region: {get_param: KeystoneRegion}
|
|
glance::keystone::auth::tenant: 'service'
|
|
mysql:
|
|
glance::db::mysql::password: {get_param: GlancePassword}
|
|
glance::db::mysql::user: glance
|
|
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
glance::db::mysql::dbname: glance
|
|
glance::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
step_config: |
|
|
include ::tripleo::profile::base::glance::api
|
|
|
|
host_prep_tasks:
|
|
- name: Mount Netapp NFS
|
|
vars:
|
|
netapp_nfs_backend_enable: {get_param: GlanceNetappNfsEnabled}
|
|
block:
|
|
- name:
|
|
set_fact:
|
|
remote_file_path: /etc/glance/glance-metadata-file.conf
|
|
- name:
|
|
file:
|
|
path: "{{ remote_file_path }}"
|
|
state: touch
|
|
- stat: path="{{ remote_file_path }}"
|
|
register: file_path
|
|
- copy:
|
|
content: {"share_location" : "{{item.NETAPP_SHARE}}", "mount_point" : "/var/lib/glance/images", "type" : "nfs",}
|
|
dest: "{{ remote_file_path }}"
|
|
with_items:
|
|
- NETAPP_SHARE: {get_param: NetappShareLocation}
|
|
when:
|
|
- file_path.stat.exists == true
|
|
- name:
|
|
mount: name=/var/lib/glance/images src="{{item.NETAPP_SHARE}}" fstype=nfs4 opts="{{item.NFS_OPTIONS}}" state=mounted
|
|
with_items:
|
|
- NETAPP_SHARE: {get_param: NetappShareLocation}
|
|
NFS_OPTIONS: {get_param: GlanceNfsOptions}
|
|
when: netapp_nfs_backend_enable
|
|
|
|
upgrade_tasks:
|
|
- name: Check if glance_api is deployed
|
|
command: systemctl is-enabled openstack-glance-api
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_api_enabled
|
|
#(TODO) Remove all glance-registry bits in Pike.
|
|
- name: Check if glance_registry is deployed
|
|
command: systemctl is-enabled openstack-glance-registry
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_registry_enabled
|
|
- name: "PreUpgrade step0,validation: Check service openstack-glance-api is running"
|
|
shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b'
|
|
tags: validation
|
|
when:
|
|
- step|int == 0
|
|
- glance_api_enabled.rc == 0
|
|
- name: Stop glance_api service
|
|
when:
|
|
- step|int == 1
|
|
- glance_api_enabled.rc == 0
|
|
service: name=openstack-glance-api state=stopped
|
|
- name: Stop and disable glance registry (removed for Ocata)
|
|
when:
|
|
- step|int == 1
|
|
- glance_registry_enabled.rc == 0
|
|
service: name=openstack-glance-registry state=stopped enabled=no
|