6db0f74e23
Adds NovaRestrictLiveMigration boolean parmeter to enable an api policy to allow live migration only for a specific role which can be customized using NovaRestrictLiveMigrationRole. This feature is to prevent the default admin role users to be able to use live migration on coincidence. Additional policies specified using NovaApiPolicies get merged with this polic Depends-On: https://review.opendev.org/c/openstack/puppet-nova/+/802251 Change-Id: If0b60037f7bb7084d0d5e549670e9d8bf53330a8
723 lines
29 KiB
YAML
723 lines
29 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Nova API service
|
|
|
|
parameters:
|
|
ContainerNovaApiImage:
|
|
description: image
|
|
type: string
|
|
ContainerNovaConfigImage:
|
|
description: The container image to use for the nova config_volume
|
|
type: string
|
|
NovaApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.api
|
|
file: /var/log/containers/nova/nova-api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
MysqlIPv6:
|
|
default: false
|
|
description: Enable IPv6 in MySQL
|
|
type: boolean
|
|
NovaWorkers:
|
|
default: 0
|
|
description: Number of workers for Nova services.
|
|
type: number
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
InstanceNameTemplate:
|
|
default: 'instance-%08x'
|
|
description: Template string to be used to generate instance names
|
|
type: string
|
|
NovaEnableDBPurge:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for purging soft deleted rows in Nova database.
|
|
type: boolean
|
|
NovaEnableDBArchive:
|
|
default: true
|
|
description: |
|
|
Whether to create cron job for archiving soft deleted rows in Nova database.
|
|
type: boolean
|
|
MonitoringSubscriptionNovaApi:
|
|
default: 'overcloud-nova-api'
|
|
type: string
|
|
NovaDefaultFloatingPool:
|
|
default: 'public'
|
|
description: Default pool for floating IP addresses
|
|
type: string
|
|
NovaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Nova API.
|
|
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
NovaAllowResizeToSameHost:
|
|
default: false
|
|
description: Allow destination machine to match source for resize.
|
|
type: boolean
|
|
NovaApiMaxLimit:
|
|
default: 1000
|
|
description: Max number of objects returned per API query
|
|
type: number
|
|
NovaCronPurgeShadowTablesMinute:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Minute
|
|
default: '0'
|
|
NovaCronPurgeShadowTablesHour:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Hour
|
|
default: '5'
|
|
NovaCronPurgeShadowTablesMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Month Day
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesMonth:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Month
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Week Day
|
|
default: '*'
|
|
NovaCronPurgeShadowTablesUser:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - User
|
|
default: 'nova'
|
|
NovaCronPurgeShadowTablesDestination:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Log destination
|
|
default: '/var/log/nova/nova-rowspurge.log'
|
|
NovaCronPurgeShadowTablesMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to purge shadow tables - Max Delay
|
|
default: '3600'
|
|
NovaCronPurgeShadowTablesAge:
|
|
type: number
|
|
description: >
|
|
Cron to purge shadow tables - Age
|
|
This will define the retention policy when
|
|
purging the shadow tables in days.
|
|
0 means, purge data older than today in
|
|
shadow tables.
|
|
default: 14
|
|
NovaCronPurgeShadowTablesVerbose:
|
|
type: boolean
|
|
description: >
|
|
Cron to purge shadow tables - Verbose
|
|
default: false
|
|
NovaCronPurgeShadowTablesAllCells:
|
|
type: boolean
|
|
description: >
|
|
Cron to purge shadow tables - All cells
|
|
default: true
|
|
NovaCronArchiveDeleteRowsMinute:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Minute
|
|
default: '1'
|
|
NovaCronArchiveDeleteRowsHour:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Hour
|
|
default: '0'
|
|
NovaCronArchiveDeleteRowsMonthday:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Month Day
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsMonth:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Month
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsWeekday:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Week Day
|
|
default: '*'
|
|
NovaCronArchiveDeleteRowsMaxRows:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Max Rows
|
|
default: '1000'
|
|
NovaCronArchiveDeleteRowsUser:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - User
|
|
default: 'nova'
|
|
NovaCronArchiveDeleteRowsDestination:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Log destination
|
|
default: '/var/log/nova/nova-rowsflush.log'
|
|
NovaCronArchiveDeleteRowsMaxDelay:
|
|
type: string
|
|
description: >
|
|
Cron to move deleted instances to another table - Max Delay
|
|
default: '3600'
|
|
NovaCronArchiveDeleteRowsUntilComplete:
|
|
type: boolean
|
|
description: >
|
|
Cron to move deleted instances to another table - Until complete
|
|
default: true
|
|
NovaCronArchiveDeleteRowsPurge:
|
|
type: boolean
|
|
description: >
|
|
Purge shadow tables immediately after scheduled archiving
|
|
default: false
|
|
NovaCronArchiveDeleteAllCells:
|
|
type: boolean
|
|
description: >
|
|
Archive deleted instances from all cells
|
|
default: true
|
|
NovaCronArchiveDeleteRowsAge:
|
|
type: number
|
|
description: >
|
|
Cron to archive deleted instances - Age
|
|
This will define the retention policy when
|
|
archiving the deleted instances entries in days.
|
|
0 means, purge data older than today in
|
|
shadow tables.
|
|
default: 90
|
|
NovaCronArchiveDeleteRowsTaskLog:
|
|
type: boolean
|
|
description: >
|
|
Archive task_log records while archiving the database
|
|
default: true
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
NovaRestrictLiveMigration:
|
|
type: boolean
|
|
description: |
|
|
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
|
|
api policy to the NovaLiveMigrationRole role. This can be used to
|
|
disallow the default admin role use live migration.
|
|
Additional policies specified using NovaApiPolicies get merged with this
|
|
policy.
|
|
default: false
|
|
NovaRestrictLiveMigrationRole:
|
|
description: |
|
|
Name of the user role which gets set to limit live migration when
|
|
NovaRestrictLiveMigration is enabled.
|
|
default: 'live-migration'
|
|
type: string
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- MysqlIPv6
|
|
|
|
conditions:
|
|
mysql_ipv6_use_ip_address:
|
|
and:
|
|
- {equals: [{get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}, 6]}
|
|
- not: {get_param: EnableInternalTLS}
|
|
nova_workers_set:
|
|
not: {equals : [{get_param: NovaWorkers}, 0]}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../deployment/database/mysql-client.yaml
|
|
|
|
NovaApiLogging:
|
|
type: OS::TripleO::Services::Logging::NovaApi
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
NovaBase:
|
|
type: ./nova-base-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NovaApiDBClient:
|
|
type: ./nova-apidb-client-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NovaDBClient:
|
|
type: ./nova-db-client-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova API role.
|
|
value:
|
|
service_name: nova_api
|
|
firewall_rules:
|
|
'113 nova_api':
|
|
dport:
|
|
- 8774
|
|
- 13774
|
|
keystone_resources:
|
|
nova:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, NovaPublic, uri]}
|
|
internal: {get_param: [EndpointMap, NovaInternal, uri]}
|
|
admin: {get_param: [EndpointMap, NovaAdmin, uri]}
|
|
users:
|
|
nova:
|
|
roles:
|
|
- admin
|
|
- service
|
|
password: {get_param: NovaPassword}
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'compute'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- get_attr: [NovaApiDBClient, role_data, config_settings]
|
|
- get_attr: [NovaDBClient, role_data, config_settings]
|
|
- get_attr: [NovaApiLogging, config_settings]
|
|
- apache::default_vhost: false
|
|
nova::keystone::authtoken::project_name: 'service'
|
|
nova::keystone::authtoken::user_domain_name: 'Default'
|
|
nova::keystone::authtoken::project_domain_name: 'Default'
|
|
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
|
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
nova::keystone::authtoken::interface: 'internal'
|
|
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
nova::api::max_limit: {get_param: NovaApiMaxLimit}
|
|
nova::api::enabled: true
|
|
nova::network::neutron::default_floating_pool: {get_param: NovaDefaultFloatingPool}
|
|
nova::api::enable_proxy_headers_parsing: true
|
|
nova::api::api_bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
nova::api::service_name: 'httpd'
|
|
nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
nova::wsgi::apache_api::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
nova::wsgi::apache_api::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
|
|
nova::policy::purge_config: true
|
|
nova::policy::policies:
|
|
map_merge:
|
|
- {get_param: NovaApiPolicies}
|
|
- if:
|
|
- {get_param: NovaRestrictLiveMigration}
|
|
- limit_live_migration:
|
|
key: 'os_compute_api:os-migrate-server:migrate_live'
|
|
value:
|
|
str_replace:
|
|
template: 'role:LMROLENAME'
|
|
params:
|
|
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
|
|
- {}
|
|
nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
|
|
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
|
|
nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
|
|
nova::cron::purge_shadow_tables::hour: {get_param: NovaCronPurgeShadowTablesHour}
|
|
nova::cron::purge_shadow_tables::monthday: {get_param: NovaCronPurgeShadowTablesMonthday}
|
|
nova::cron::purge_shadow_tables::month: {get_param: NovaCronPurgeShadowTablesMonth}
|
|
nova::cron::purge_shadow_tables::weekday: {get_param: NovaCronPurgeShadowTablesWeekday}
|
|
nova::cron::purge_shadow_tables::user: {get_param: NovaCronPurgeShadowTablesUser}
|
|
nova::cron::purge_shadow_tables::destination: {get_param: NovaCronPurgeShadowTablesDestination}
|
|
nova::cron::purge_shadow_tables::maxdelay: {get_param: NovaCronPurgeShadowTablesMaxDelay}
|
|
nova::cron::purge_shadow_tables::age: {get_param: NovaCronPurgeShadowTablesAge}
|
|
nova::cron::purge_shadow_tables::verbose: {get_param: NovaCronPurgeShadowTablesVerbose}
|
|
nova::cron::purge_shadow_tables::all_cells: {get_param: NovaCronPurgeShadowTablesAllCells}
|
|
nova_enable_db_archive: {get_param: NovaEnableDBArchive}
|
|
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
|
|
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
|
|
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
|
|
nova::cron::archive_deleted_rows::month: {get_param: NovaCronArchiveDeleteRowsMonth}
|
|
nova::cron::archive_deleted_rows::weekday: {get_param: NovaCronArchiveDeleteRowsWeekday}
|
|
nova::cron::archive_deleted_rows::max_rows: {get_param: NovaCronArchiveDeleteRowsMaxRows}
|
|
nova::cron::archive_deleted_rows::user: {get_param: NovaCronArchiveDeleteRowsUser}
|
|
nova::cron::archive_deleted_rows::destination: {get_param: NovaCronArchiveDeleteRowsDestination}
|
|
nova::cron::archive_deleted_rows::maxdelay: {get_param: NovaCronArchiveDeleteRowsMaxDelay}
|
|
nova::cron::archive_deleted_rows::until_complete: {get_param: NovaCronArchiveDeleteRowsUntilComplete}
|
|
nova::cron::archive_deleted_rows::purge: {get_param: NovaCronArchiveDeleteRowsPurge}
|
|
nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells}
|
|
nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge}
|
|
nova::cron::archive_deleted_rows::task_log: {get_param: NovaCronArchiveDeleteRowsTaskLog}
|
|
- if:
|
|
- nova_workers_set
|
|
- nova::api::osapi_compute_workers: {get_param: NovaWorkers}
|
|
nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
|
|
service_config_settings:
|
|
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
|
mysql:
|
|
map_merge:
|
|
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
|
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
|
rsyslog:
|
|
tripleo_logging_sources_nova_api:
|
|
- {get_param: NovaApiLoggingSource}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: nova
|
|
puppet_tags: nova_config,nova_api_paste_ini
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }"
|
|
- include tripleo::profile::base::nova::api
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerNovaConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/nova_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &nova_api_db_sync
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions: &nova_api_permissions
|
|
- path: /var/log/nova
|
|
owner: nova:nova
|
|
recurse: true
|
|
/var/lib/kolla/config_files/nova_api_db_sync.json:
|
|
command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage api_db sync'"
|
|
config_files: *nova_api_db_sync
|
|
permissions: *nova_api_permissions
|
|
/var/lib/kolla/config_files/nova_api_map_cell0.json:
|
|
command:
|
|
str_replace:
|
|
template: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 map_cell0 --database_connection=\"CELL0DB\"'"
|
|
params:
|
|
CELL0DB:
|
|
list_join:
|
|
- ''
|
|
- - '{scheme}'
|
|
- '://'
|
|
- '{username}'
|
|
- ':'
|
|
- '{password}'
|
|
- '@'
|
|
-
|
|
if:
|
|
- mysql_ipv6_use_ip_address
|
|
- '[{hostname}]'
|
|
- '{hostname}'
|
|
- '/'
|
|
- 'nova_cell0'
|
|
- '?'
|
|
- '{query}'
|
|
config_files: *nova_api_db_sync
|
|
permissions: *nova_api_permissions
|
|
/var/lib/kolla/config_files/nova_api_ensure_default_cell.json:
|
|
command: "/usr/bin/bootstrap_host_exec nova_api /nova_api_ensure_default_cell.sh"
|
|
config_files: *nova_api_db_sync
|
|
permissions: *nova_api_permissions
|
|
/var/lib/kolla/config_files/nova_api_cron.json:
|
|
command: /usr/sbin/crond -n
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions: *nova_api_permissions
|
|
/var/lib/kolla/config_files/nova_wait_for_api_service.json:
|
|
command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/container-config-scripts/pyshim.sh /container-config-scripts/nova_wait_for_api_service.py'"
|
|
config_files: *nova_api_db_sync
|
|
permissions: *nova_api_permissions
|
|
|
|
container_config_scripts:
|
|
map_merge:
|
|
- {get_attr: [ContainersCommon, container_config_scripts]}
|
|
- nova_wait_for_api_service.py:
|
|
mode: "0755"
|
|
content: { get_file: ../../container_config_scripts/nova_wait_for_api_service.py }
|
|
nova_api_ensure_default_cell.sh:
|
|
mode: "0700"
|
|
content:
|
|
str_replace:
|
|
template: |
|
|
#!/bin/bash
|
|
DEFID=$(su nova -s /bin/bash -c "nova-manage cell_v2 list_cells" | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}')
|
|
if [ "$DEFID" ]; then
|
|
echo "(cellv2) Updating default cell_v2 cell $DEFID"
|
|
su nova -s /bin/bash -c "/usr/bin/nova-manage cell_v2 update_cell --cell_uuid $DEFID --name=default --database_connection='CELLDB' --transport-url='TRANSPORTURL'"
|
|
else
|
|
echo "(cellv2) Creating default cell_v2 cell"
|
|
su nova -s /bin/bash -c "/usr/bin/nova-manage cell_v2 create_cell --name=default --database_connection='CELLDB' --transport-url='TRANSPORTURL'"
|
|
fi
|
|
params:
|
|
CELLDB:
|
|
list_join:
|
|
- ''
|
|
- - '{scheme}'
|
|
- '://'
|
|
- '{username}'
|
|
- ':'
|
|
- '{password}'
|
|
- '@'
|
|
- if:
|
|
- mysql_ipv6_use_ip_address
|
|
- '[{hostname}]'
|
|
- '{hostname}'
|
|
- '/'
|
|
- 'nova'
|
|
- '?'
|
|
- '{query}'
|
|
TRANSPORTURL:
|
|
list_join:
|
|
- ''
|
|
- - '{scheme}'
|
|
- '://'
|
|
- '{username}'
|
|
- ':'
|
|
- '{password}'
|
|
- '@'
|
|
- '{hostname}'
|
|
- ':'
|
|
- '{port}'
|
|
- '/'
|
|
- '?'
|
|
- '{query}'
|
|
docker_config:
|
|
step_2:
|
|
get_attr: [NovaApiLogging, docker_config, step_2]
|
|
step_3:
|
|
nova_api_db_sync:
|
|
start_order: 0 # Runs before nova-conductor dbsync
|
|
image: &nova_api_image {get_param: ContainerNovaApiImage}
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
nova_api_map_cell0:
|
|
start_order: 1 # Runs before nova-conductor dbsync
|
|
image: *nova_api_image
|
|
net: host
|
|
detach: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_api_map_cell0.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
nova_api_ensure_default_cell:
|
|
start_order: 2 # Runs before nova-conductor dbsync
|
|
image: *nova_api_image
|
|
net: host
|
|
detach: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_api_ensure_default_cell.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/container-config-scripts/nova_api_ensure_default_cell.sh:/nova_api_ensure_default_cell.sh:ro
|
|
user: root
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
step_4:
|
|
nova_api:
|
|
start_order: 2
|
|
image: *nova_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
nova_wait_for_api_service:
|
|
start_order: 3
|
|
image: *nova_api_image
|
|
user: root
|
|
net: host
|
|
privileged: false
|
|
detach: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_wait_for_api_service.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/container-config-scripts/:/container-config-scripts/:z
|
|
environment:
|
|
__OS_DEBUG:
|
|
yaql:
|
|
expression: str($.data.debug)
|
|
data:
|
|
debug: {get_attr: [NovaBase, role_data, config_settings, 'nova::logging::debug']}
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
nova_api_cron:
|
|
start_order: 4
|
|
image: *nova_api_image
|
|
net: host
|
|
user: root
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: '/usr/share/openstack-tripleo-common/healthcheck/cron nova'
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaApiLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_api_cron.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
deploy_steps_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
- - name: validate nova-api container state
|
|
containers.podman.podman_container_info:
|
|
name: nova_api
|
|
register: nova_api_infos
|
|
failed_when:
|
|
- nova_api_infos.containers.0.Healthcheck.Status is defined
|
|
- "'healthy' not in nova_api_infos.containers.0.Healthcheck.Status"
|
|
retries: 10
|
|
delay: 30
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-nova
|
|
when:
|
|
- container_cli == 'podman'
|
|
- not container_healthcheck_disabled
|
|
- step|int == 4
|
|
host_prep_tasks: {get_attr: [NovaApiLogging, host_prep_tasks]}
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop nova api container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- nova_api
|
|
- nova_api_cron
|
|
tripleo_delegate_to: "{{ groups['nova_api'] | default([]) }}"
|