tripleo-heat-templates/deployment/nova/nova-metadata-container-puppet.yaml
Takashi Kajinami 09bcacd25a Add support for keystone_authtoken/memcache_use_advanced_pool
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
2021-06-07 21:08:01 +09:00

293 lines
11 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Nova Metadata service
parameters:
ContainerNovaMetadataImage:
description: image
type: string
ContainerNovaMetadataConfigImage:
description: The container image to use for the nova config_volume
type: string
NovaMetadataLoggingSource:
type: json
default:
tag: openstack.nova.api.metadata
file: /var/log/containers/nova/nova-metadata-api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
NovaWorkers:
default: 0
description: Number of workers for Nova services.
type: number
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NeutronMetadataProxySharedSecret:
description: Shared secret to prevent spoofing
type: string
hidden: true
MonitoringSubscriptionNovaMetadata:
default: 'overcloud-nova-metadata'
type: string
NovaLocalMetadataPerCell:
default: false
description: >
Indicates that the nova-metadata API service has been deployed
per-cell, so that we can have better performance and data isolation in a
multi-cell deployment. Users should consider the use of this configuration
depending on how neutron is setup. If networks span cells, you might need
to run nova-metadata API service globally. If your networks are segmented
along cell boundaries, then you can run nova-metadata API service per cell.
When running nova-metadata API service per cell, you should also configure
each Neutron metadata-agent to point to the corresponding nova-metadata API
service.
type: boolean
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
nova_workers_set:
not: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
NovaMetadataLogging:
type: OS::TripleO::Services::Logging::NovaMetadata
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
NovaBase:
type: ./nova-base-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaApiDBClient:
type: ./nova-apidb-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NovaDBClient:
type: ./nova-db-client-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- if:
- not: {get_param: NovaLocalMetadataPerCell}
- {get_attr: [NovaApiDBClient, role_data, config_settings]}
- get_attr: [NovaDBClient, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
nova::wsgi::apache_metadata::api_port: '8775'
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
nova::wsgi::apache_metadata::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::wsgi::apache_metadata::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
nova::wsgi::apache_metadata::workers:
if:
- nova_workers_set
- {get_param: NovaWorkers}
nova::metadata::neutron_metadata_proxy_shared_secret:
if:
- is_neutron_shared_metadata_notempty
- {get_param: NeutronMetadataProxySharedSecret}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
mysql:
map_merge:
- if:
- not: {get_param: NovaLocalMetadataPerCell}
- get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql]
- get_attr: [NovaDBClient, role_data, service_config_settings, mysql]
rsyslog:
tripleo_logging_sources_nova_metadata:
- {get_param: NovaMetadataLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova_metadata
puppet_tags: nova_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::nova::metadata
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerNovaMetadataConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_metadata.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
docker_config:
step_2:
get_attr: [NovaMetadataLogging, docker_config, step_2]
step_4:
nova_metadata:
start_order: 2
image: {get_param: ContainerNovaMetadataImage}
net: host
user: root
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NovaMetadataLogging, volumes]}
- - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_metadata:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
list_concat:
- get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
- - name: validate nova-metadata container state
containers.podman.podman_container_info:
name: nova_metadata
register: nova_metadata_infos
failed_when:
- nova_metadata_infos.containers.0.Healthcheck.Status is defined
- "'healthy' not in nova_metadata_infos.containers.0.Healthcheck.Status"
retries: 10
delay: 30
tags:
- opendev-validation
- opendev-validation-nova
when:
- container_cli == 'podman'
- not container_healthcheck_disabled
- step|int == 5
host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop nova metadata container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- nova_metadata
tripleo_delegate_to: "{{ groups['nova_metadata'] | default([]) }}"