RETIRED, Heat templates for deploying OpenStack

Go to file

Martin Schuppert 59a235340c Simplify libvirt/qemu ssl certificates On the compute nodes, right now ssl certificates got created for libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required because the all services use the same NovaLibvirtNetwork network and therefore multiple certificates for the same hostname get created. Also from qemu point of view, if default_tls_x509_cert_dir and default_tls_x509_verify parameters get set for all certificates, there is no need to specify any of the other _tls config options. From [1] The intention (of libvirt) is that you can just use the default_tls_x509_* config attributes so that you don’t need to set any other _tls parameters, unless_ you need different certificates for some services. The rationale for that is that some services (e.g. migration / NBD) are only exposed to internal infrastructure; while some sevices (VNC, Spice) might be exposed publically, so might need different certificates. For OpenStack this does not matter, though, we will stick with the defaults. Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile get removed (which defaulted to /etc/ipa/ca.crt anyways) and just use InternalTLSCAFile. Also all cerfificates get created when EnableInternalTLS is true to and mount all SSL certificates from the host. This is to prevent certificate information is not available in a qemu's process container environment if features get switched later, which has shown to be problematic. [1] https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html Also squashes `c904c7555c` into this backport: Explicit set qemu certificate group ownership While the certificates get requested with the appropriate group root:qemu [1] and copied to /etc/pki/qemu/ with -a it has seen that the group ownership is not correct on the target certificate files. Lets set explicit group ownership via the run_after script. Closes-Bug: #1933330 [1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/nova/nova-libvirt-container-puppet.yaml#L777-L779 Change-Id: Ie2c78fc3a07be1cd22cb6cac240047b5d2b9cd0a (cherry picked from commit `d20f295f3a`)		2021-07-08 08:52:59 +00:00
ci	Move designate from experimental	2021-06-28 17:25:15 -02:30
common	Merge "Refactor OVN bridge MAC addresses" into stable/wallaby	2021-06-16 12:33:00 +00:00
container_config_scripts	HA minor update: fix bad pcs invocation	2021-06-10 15:12:51 +00:00
deployed-server	Make UpgradeLeappDevelSkip per-role	2021-06-16 09:42:43 +00:00
deployment	Simplify libvirt/qemu ssl certificates	2021-07-08 08:52:59 +00:00
doc	Add doc/requirements	2021-01-05 09:49:46 +01:00
environments	Adjust enable-stf.yaml for latest recommendations	2021-07-05 13:37:41 +00:00
extraconfig	Set OS_CLOUD instead in stackrc	2021-06-21 07:05:11 +00:00
firstboot	Use 'wallaby' heat_template_version	2021-03-31 17:35:12 +05:30
network	Remove NovaVncProxyNetwork from ServiceNetMap	2021-06-30 11:03:43 +02:00
network-data-samples	Add network-v2 default files + vip data examples	2021-06-23 19:02:09 +00:00
plan-samples	Fix plan-samples README.rst	2021-03-04 13:42:01 +05:30
puppet	Merge "Make UpgradeLeappDevelSkip per-role" into stable/wallaby	2021-06-18 04:42:29 +00:00
releasenotes	Simplify libvirt/qemu ssl certificates	2021-07-08 08:52:59 +00:00
roles	Merge "Add Ephemeral Heat service" into stable/wallaby	2021-06-29 14:22:41 +00:00
sample-env-generator	Move designate from experimental	2021-06-28 17:25:15 -02:30
scripts	Extend UC ephemeral heat to export network	2021-06-28 19:05:40 +00:00
tools	Merge "Add network-v2 default files + vip data examples" into stable/wallaby	2021-06-28 21:18:45 +00:00
tripleo_heat_templates	Enable ansible-lint	2021-03-30 09:18:15 +01:00
zuul.d	Add openstack-tox-tht to the gate	2021-05-13 13:48:21 +00:00
.ansible-lint	Remove duplicate keys from yaml files	2021-03-29 13:56:31 +00:00
.gitignore	Enable ansible-lint	2021-03-30 09:18:15 +01:00
.gitreview	Update .gitreview for stable/wallaby	2021-05-05 15:36:12 +00:00
.testr.conf	Improve nova statedir ownership logic	2018-07-09 17:07:30 +01:00
babel.cfg	Add release configuration.	2013-10-22 17:49:35 +01:00
bindep.txt	Fixed tox executions	2021-03-26 15:37:07 +00:00
config-download-software.yaml	Use 'wallaby' heat_template_version	2021-03-31 17:35:12 +05:30
config-download-structured.yaml	Use 'wallaby' heat_template_version	2021-03-31 17:35:12 +05:30
j2_excludes.yaml	Remove ipv6 specific network templates	2017-08-31 13:12:17 -07:00
LICENSE	Add license file	2014-01-20 11:58:20 +01:00
network_data_dashboard.yaml	Add a StorageDashboard network used by CephGrafana service	2019-08-30 19:16:47 +02:00
network_data_default.yaml	Add network-v2 default files + vip data examples	2021-06-23 19:02:09 +00:00
network_data_ganesha.yaml	Use appropriate allocation pools for StorageNFS	2020-08-26 15:27:52 +00:00
network_data_routed.yaml	Merge "Allow overlay tunnel endpoints on IPv6 address"	2019-01-10 21:13:19 +00:00
network_data_subnets_routed.yaml	L3 routed networks - data + env (1/3)	2018-12-30 19:24:29 +01:00
network_data_undercloud.yaml	Add network data for the undercloud	2019-01-21 19:35:37 +01:00
network_data.yaml	Add external_resource_vip_id property to network_data.yaml	2019-03-25 10:48:40 -04:00
overcloud-resource-registry-puppet.j2.yaml	Merge "Add Ephemeral Heat service" into stable/wallaby	2021-06-29 14:22:41 +00:00
overcloud.j2.yaml	Add THT Jinja2 data sources as stack output	2021-07-01 14:10:09 +02:00
README.rst	Remove Sahara support	2020-10-19 09:39:36 +09:00
requirements.txt	Deprecate EnablePaunch and remove Paunch support	2020-06-03 17:53:40 +00:00
roles_data_undercloud.yaml	Merge "Add Ephemeral Heat service" into stable/wallaby	2021-06-29 14:22:41 +00:00
roles_data.yaml	Add OVNCMSOptions to Controller and Networker roles	2021-06-02 00:10:42 +00:00
setup.cfg	Add support for py39	2021-03-24 09:40:57 +00:00
setup.py	Updated from global requirements	2017-03-28 13:03:01 +00:00
test-ansible-requirements.txt	Ansible lint check in THT	2019-10-30 04:56:05 -04:00
test-requirements.txt	Enable ansible-lint	2021-03-30 09:18:15 +01:00
tox.ini	Update TOX_CONSTRAINTS_FILE for stable/wallaby	2021-05-05 15:36:16 +00:00
vip_data_default.yaml	Add network-v2 default files + vip data examples	2021-06-23 19:02:09 +00:00

README.rst

Team and repository tags

tripleo-heat-templates

Heat templates to deploy OpenStack using OpenStack.

Free software: Apache License (2.0)
Documentation: https://docs.openstack.org/tripleo-docs/latest/
Source: https://opendev.org/openstack/tripleo-heat-templates
Bugs: https://bugs.launchpad.net/tripleo
Release notes: https://docs.openstack.org/releasenotes/tripleo-heat-templates/

Features

The ability to deploy a multi-node, role based OpenStack deployment using OpenStack Heat. Notable features include:

Choice of deployment/configuration tooling: puppet, (soon) docker

Role based deployment: roles for the controller, compute, ceph, swift, and cinder storage

physical network configuration: support for isolated networks, bonding, and standard ctlplane networking

Directories

A description of the directory layout in TripleO Heat Templates.

environments: contains heat environment files that can be used with -e

on the command like to enable features, etc.

extraconfig: templates used to enable 'extra' functionality. Includes

functionality for distro specific registration and upgrades.

firstboot: example first_boot scripts that can be used when initially

creating instances.

network: heat templates to help create isolated networks and ports

puppet: templates mostly driven by configuration with puppet. To use these

templates you can use the overcloud-resource-registry-puppet.yaml.

validation-scripts: validation scripts useful to all deployment

configurations

roles: example roles that can be used with the tripleoclient to generate

a roles_data.yaml for a deployment See the roles/README.rst for additional details.

Service testing matrix

The configuration for the CI scenarios will be defined in tripleo-heat-templates/ci/ and should be executed according to the following table:

-	scn000	scn001	scn002	scn003	scn004	scn006	scn007	scn009	scn010	scn013	non-ha	ovh-ha
keystone	X	X	X	X	X	X	X		X	X	X	X
glance		rbd	swift	file	rgw	file	file		rbd	file	file	file
cinder		rbd	iscsi
heat		X	X
ironic						X
mysql	X	X	X	X	X	X	X		X	X	X	X
neutron		ovn	ovn	ovn	ovn	ovn	ovs		ovn	ovn	ovn	ovn
neutron-bgpvpn					wip
ovn							X
neutron-l2gw					wip
om-rpc		rabbit	rabbit	amqp1	rabbit	rabbit	rabbit		rabbit	rabbit	rabbit	rabbit
om-notify		rabbit	rabbit	rabbit	rabbit	rabbit	rabbit		rabbit	rabbit	rabbit	rabbit
redis		X	X
haproxy		X	X	X	X	X	X		X	X	X	X
memcached		X	X	X	X	X	X		X	X	X	X
pacemaker		X	X	X	X	X	X		X	X	X	X
nova		qemu	qemu	qemu	qemu	ironic	qemu		qemu	qemu	qemu	qemu
placement		X	X	X	X	X	X		X	X	X	X
ntp	X	X	X	X	X	X	X	X	X	X	X	X
snmp	X	X	X	X	X	X	X	X	X	X	X	X
timezone	X	X	X	X	X	X	X	X	X	X	X	X
mistral				X
swift			X
aodh		X	X
ceilometer		X	X
gnocchi		rbd	swift
barbican			X
zaqar			X
cephrgw					X
cephmds					X
manila					X
collectd		X
designate				X
octavia									X	X
rear		X
Extra Firewall				X