09bcacd25a
This change introduces a single parameter, MemcacheUseAdvancedPool, to enable usage of advanced connection pool in keystone middleware. This is useful to avoid bursting connection to memcached. Note that the default value of memcached_use_advanced_pool was changed from false to true during Xena cycle[1], so this parameter is no longer required in master. However the change in keystonemiddleware will never be backported. This change is created so that we can switch to advanced pool even in older releases. [1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939 Closes-Bug: #1931047 Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
293 lines
11 KiB
YAML
293 lines
11 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Nova Metadata service
|
|
|
|
parameters:
|
|
ContainerNovaMetadataImage:
|
|
description: image
|
|
type: string
|
|
ContainerNovaMetadataConfigImage:
|
|
description: The container image to use for the nova config_volume
|
|
type: string
|
|
NovaMetadataLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.api.metadata
|
|
file: /var/log/containers/nova/nova-metadata-api.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
NovaWorkers:
|
|
default: 0
|
|
description: Number of workers for Nova services.
|
|
type: number
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionNovaMetadata:
|
|
default: 'overcloud-nova-metadata'
|
|
type: string
|
|
NovaLocalMetadataPerCell:
|
|
default: false
|
|
description: >
|
|
Indicates that the nova-metadata API service has been deployed
|
|
per-cell, so that we can have better performance and data isolation in a
|
|
multi-cell deployment. Users should consider the use of this configuration
|
|
depending on how neutron is setup. If networks span cells, you might need
|
|
to run nova-metadata API service globally. If your networks are segmented
|
|
along cell boundaries, then you can run nova-metadata API service per cell.
|
|
When running nova-metadata API service per cell, you should also configure
|
|
each Neutron metadata-agent to point to the corresponding nova-metadata API
|
|
service.
|
|
type: boolean
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
conditions:
|
|
nova_workers_set:
|
|
not: {equals : [{get_param: NovaWorkers}, 0]}
|
|
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../deployment/database/mysql-client.yaml
|
|
|
|
NovaMetadataLogging:
|
|
type: OS::TripleO::Services::Logging::NovaMetadata
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
NovaBase:
|
|
type: ./nova-base-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NovaApiDBClient:
|
|
type: ./nova-apidb-client-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NovaDBClient:
|
|
type: ./nova-db-client-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Metadata service.
|
|
value:
|
|
service_name: nova_metadata
|
|
firewall_rules:
|
|
'139 nova_metadata':
|
|
dport:
|
|
- 8775
|
|
- 13775
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- if:
|
|
- not: {get_param: NovaLocalMetadataPerCell}
|
|
- {get_attr: [NovaApiDBClient, role_data, config_settings]}
|
|
- get_attr: [NovaDBClient, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- get_attr: [NovaMetadataLogging, config_settings]
|
|
- apache::default_vhost: false
|
|
- nova::keystone::authtoken::project_name: 'service'
|
|
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
|
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
|
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
nova::keystone::authtoken::interface: 'internal'
|
|
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
nova::wsgi::apache_metadata::api_port: '8775'
|
|
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
|
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
nova::wsgi::apache_metadata::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
nova::wsgi::apache_metadata::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
nova::wsgi::apache_metadata::workers:
|
|
if:
|
|
- nova_workers_set
|
|
- {get_param: NovaWorkers}
|
|
nova::metadata::neutron_metadata_proxy_shared_secret:
|
|
if:
|
|
- is_neutron_shared_metadata_notempty
|
|
- {get_param: NeutronMetadataProxySharedSecret}
|
|
service_config_settings:
|
|
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
|
mysql:
|
|
map_merge:
|
|
- if:
|
|
- not: {get_param: NovaLocalMetadataPerCell}
|
|
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
|
|
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
|
|
rsyslog:
|
|
tripleo_logging_sources_nova_metadata:
|
|
- {get_param: NovaMetadataLoggingSource}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: nova_metadata
|
|
puppet_tags: nova_config
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - include tripleo::profile::base::nova::metadata
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerNovaMetadataConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/nova_metadata.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/nova
|
|
owner: nova:nova
|
|
recurse: true
|
|
docker_config:
|
|
step_2:
|
|
get_attr: [NovaMetadataLogging, docker_config, step_2]
|
|
step_4:
|
|
nova_metadata:
|
|
start_order: 2
|
|
image: {get_param: ContainerNovaMetadataImage}
|
|
net: host
|
|
user: root
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NovaMetadataLogging, volumes]}
|
|
- - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/nova_metadata:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
deploy_steps_tasks:
|
|
list_concat:
|
|
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
- - name: validate nova-metadata container state
|
|
containers.podman.podman_container_info:
|
|
name: nova_metadata
|
|
register: nova_metadata_infos
|
|
failed_when:
|
|
- nova_metadata_infos.containers.0.Healthcheck.Status is defined
|
|
- "'healthy' not in nova_metadata_infos.containers.0.Healthcheck.Status"
|
|
retries: 10
|
|
delay: 30
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-nova
|
|
when:
|
|
- container_cli == 'podman'
|
|
- not container_healthcheck_disabled
|
|
- step|int == 5
|
|
host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop nova metadata container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- nova_metadata
|
|
tripleo_delegate_to: "{{ groups['nova_metadata'] | default([]) }}"
|