ff83505e8a
The hiera function is deprecated and does not work with the latest hieradata version 5. It should be replaced by the new lookup function[1]. [1] https://puppet.com/docs/puppet/7/hiera_automatic.html With the lookup function, we can define value type and merge behavior, but these are kept default at this moment to limit scope of this change to just simple replacement. Adding value type might be useful to make sure the value is in expected type (especially when a boolean value is expected), but we will revisit that later. example: lookup(<NAME>, [<VALUE TYPE>], [<MERGE BEHAVIOR>], [<DEFAULT VALUE>]) Change-Id: If5ac88ffccc1bb800d8af33c8896294a57e9b5fb
460 lines
19 KiB
YAML
460 lines
19 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Rabbitmq service
|
|
|
|
parameters:
|
|
ContainerRabbitmqImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerRabbitmqConfigImage:
|
|
description: The container image to use for the rabbitmq config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
RabbitCookie:
|
|
type: string
|
|
default: ''
|
|
hidden: true
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitFDLimit:
|
|
default: 65536
|
|
description: Configures RabbitMQ FD limit
|
|
type: number
|
|
RabbitTCPBacklog:
|
|
default: 4096
|
|
description: Configures RabbitMQ maximum TCP Backlog
|
|
type: number
|
|
RabbitIPv6:
|
|
default: false
|
|
description: Enable IPv6 in RabbitMQ
|
|
type: boolean
|
|
RabbitHAQueues:
|
|
description:
|
|
The number of HA queues to be configured in rabbit. The default is -1 which
|
|
translates to "ha-mode all". The special value 0 will be automatically
|
|
overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.
|
|
default: 0
|
|
type: number
|
|
RabbitNetTickTime:
|
|
description:
|
|
The number of seconds to configure the value of the erlang
|
|
net_ticktime kernel variable.
|
|
default: 15
|
|
type: number
|
|
RabbitFIPS:
|
|
type: boolean
|
|
default: false
|
|
description: Configures RabbitMQ to run in FIPS mode
|
|
RabbitAdditionalErlArgs:
|
|
description:
|
|
Additional parameters passed to the Erlang subsystem. The string
|
|
needs to be enclosed in quotes twice. We default to '+sbwt none
|
|
+sbwtdcpu none +sbwtdio none' in order to have the erlang vm be
|
|
less busy on spinlocks, but we allow a simple way of overriding
|
|
it.
|
|
default: "'+sbwt none +sbwtdcpu none +sbwtdio none'"
|
|
type: string
|
|
MonitoringSubscriptionRabbitmq:
|
|
default: 'overcloud-rabbitmq'
|
|
type: string
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
RabbitmqCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
RabbitmqEnableManagementAccess:
|
|
type: boolean
|
|
default: false
|
|
description: Allow access to RabbitMQ management plugin over network
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- RabbitIPv6
|
|
|
|
conditions:
|
|
is_ipv6:
|
|
equals:
|
|
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
|
|
- 6
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
|
rabbitmq_cacert_set:
|
|
not: {equals: [{get_param: InternalTLSCAFile}, '']}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerRabbitmqImage: ContainerRabbitmqImage
|
|
ContainerRabbitmqConfigImage: ContainerRabbitmqConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerRabbitmqImage: {get_param: ContainerRabbitmqImage}
|
|
ContainerRabbitmqConfigImage: {get_param: ContainerRabbitmqConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Rabbitmq API role.
|
|
value:
|
|
service_name: rabbitmq
|
|
firewall_rules:
|
|
'109 rabbitmq':
|
|
dport:
|
|
list_concat:
|
|
- - 4369
|
|
- 5672
|
|
- 25672
|
|
- 25673-25683
|
|
- if:
|
|
- {get_param: RabbitmqEnableManagementAccess}
|
|
- - 15672
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
|
|
# RabbitMQ plugins initialization occurs on every node
|
|
config_settings:
|
|
map_merge:
|
|
-
|
|
rabbitmq::file_limit: {get_param: RabbitFDLimit}
|
|
rabbitmq::default_user: {get_param: RabbitUserName}
|
|
rabbitmq::default_pass: {get_param: RabbitPassword}
|
|
rabbit_ipv6: {if: [is_ipv6, true, false]}
|
|
rabbitmq::delete_guest_user: false
|
|
rabbitmq::wipe_db_on_cookie_change: true
|
|
rabbitmq::port: 5672
|
|
rabbitmq::loopback_users: []
|
|
rabbitmq::tcp_backlog: {get_param: RabbitTCPBacklog}
|
|
rabbitmq::repos_ensure: false
|
|
rabbitmq::tcp_keepalive: true
|
|
# https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement)
|
|
rabbitmq_environment:
|
|
LANG: 'en_US.UTF-8'
|
|
LC_ALL: 'en_US.UTF-8'
|
|
NODE_PORT: ''
|
|
NODE_IP_ADDRESS: ''
|
|
RABBITMQ_NODENAME:
|
|
str_replace:
|
|
template:
|
|
"rabbit@%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
RABBITMQ_USE_LONGNAME: 'true'
|
|
RABBITMQ_CTL_DIST_PORT_MIN: '25673'
|
|
RABBITMQ_CTL_DIST_PORT_MAX: '25683'
|
|
'export ERL_EPMD_ADDRESS': "%{lookup('rabbitmq::interface')}"
|
|
tripleo::profile::base::rabbitmq::additional_erl_args: {get_param: RabbitAdditionalErlArgs}
|
|
rabbitmq_kernel_variables:
|
|
inet_dist_listen_min: '25672'
|
|
inet_dist_listen_max: '25672'
|
|
net_ticktime: {get_param: RabbitNetTickTime}
|
|
rabbitmq_config_variables:
|
|
cluster_partition_handling: 'ignore'
|
|
queue_master_locator: '<<"min-masters">>'
|
|
rabbitmq::config_additional_variables:
|
|
lager: '[{crash_log_count, 0}, { crash_log_date, ""}, { crash_log_size, 0 }]'
|
|
rabbitmq::erlang_cookie: {get_param: RabbitCookie}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
rabbitmq::interface:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
|
|
rabbitmq::ssl: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_port: 5672
|
|
rabbitmq::ssl_depth: 1
|
|
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_interface:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
# TODO(jaosorior): Remove this once we set a proper default in
|
|
# puppet-tripleo
|
|
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
|
|
tripleo::profile::base::rabbitmq::fips_mode: {get_param: RabbitFIPS}
|
|
rabbitmq::collect_statistics_interval: 30000
|
|
rabbitmq::admin_enable: false
|
|
rabbitmq::management_enable: true
|
|
rabbitmq::use_config_file_for_plugins: true
|
|
rabbitmq::management_ip_address:
|
|
if:
|
|
- {get_param: RabbitmqEnableManagementAccess}
|
|
- str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqManagementNetwork]}
|
|
- 127.0.0.1
|
|
rabbitmq::management_port: 15672
|
|
rabbitmq::config_management_variables:
|
|
rates_mode: none
|
|
tripleo::certmonger::rabbitmq::postsave_cmd:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
# Only set CAs then InternalTLSCAFile is not ''
|
|
- if:
|
|
- rabbitmq_cacert_set
|
|
- rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
|
|
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
|
tripleo::profile::base::rabbitmq::certificate_specs:
|
|
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
|
service_key: '/etc/pki/tls/private/rabbitmq.key'
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: rabbitmq
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
|
|
- "include tripleo::profile::base::rabbitmq"
|
|
config_image: &rabbitmq_config_image {get_attr: [RoleParametersValue, value, ContainerRabbitmqConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/rabbitmq.json:
|
|
command: /usr/lib/rabbitmq/bin/rabbitmq-server
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/rabbitmq
|
|
owner: rabbitmq:rabbitmq
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/rabbitmq.crt
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
- path: /etc/pki/tls/private/rabbitmq.key
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
docker_config:
|
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
|
step_1:
|
|
rabbitmq_init_logs:
|
|
start_order: 0
|
|
detach: false
|
|
image: &rabbitmq_image {get_attr: [RoleParametersValue, value, ContainerRabbitmqImage]}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
|
|
rabbitmq_bootstrap:
|
|
start_order: 1
|
|
detach: false
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
KOLLA_BOOTSTRAP: true
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
RABBITMQ_CLUSTER_COOKIE: {get_param: RabbitCookie}
|
|
|
|
rabbitmq:
|
|
start_order: 2
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
container_puppet_tasks:
|
|
# RabbitMQ users and policies initialization occurs only on single node
|
|
step_2:
|
|
config_volume: 'rabbit_init_tasks'
|
|
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
|
|
step_config: 'include tripleo::profile::base::rabbitmq'
|
|
config_image: *rabbitmq_config_image
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq:/etc/rabbitmq:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: rabbitmq
|
|
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: rabbitmq
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
run_after: |
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
|
service_key="/etc/pki/tls/private/rabbitmq.key"
|
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
|
# frozen temporarily and that can make pacemaker operation fail.
|
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
|
# no need to update the mount point, because pacemaker
|
|
# recreates the container when it's restarted
|
|
else
|
|
# Refresh the cert at the mount-point
|
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
|
# Refresh the key at the mount-point
|
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
|
# Copy the new cert from the mount-point to the real path
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
|
# Copy the new key from the mount-point to the real path
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
fi
|
|
# Set appropriate permissions
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: RabbitmqCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
host_prep_tasks:
|
|
- name: creat fcontext entry for rabbitmq data
|
|
community.general.sefcontext:
|
|
target: "/var/lib/rabbitmq(/.*)?"
|
|
setype: container_file_t
|
|
state: present
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
|
|
# TODO: Removal of package
|
|
upgrade_tasks: []
|
|
update_tasks: []
|
|
# TODO: Are we sure we want to support this. Rolling update
|
|
# without pacemaker may fail. Do we test this ? In any case,
|
|
# this is under tripleo_container_manage control so the latest image should be
|
|
# pulled in by the deploy steps. Same question for other
|
|
# usually managed by pacemaker container.
|