tripleo-heat-templates/puppet/services/glance-api.yaml

434 lines
17 KiB
YAML

heat_template_version: queens
description: >
OpenStack Glance API service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
GlanceDebug:
default: ''
description: Set to True to enable debugging Glance service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
GlancePassword:
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
GlanceWorkers:
default: ''
description: |
Number of API worker processes for Glance. If left unset (empty string), the
default value will result in the configuration being left unset and a
system-dependent default value will be chosen (e.g.: number of
processors). Please note that this will create a large number of
processes on systems with a large number of CPUs resulting in excess
memory consumption. It is recommended that a suitable non-default value
be selected on such systems.
type: string
MonitoringSubscriptionGlanceApi:
default: 'overcloud-glance-api'
type: string
GlanceApiLoggingSource:
type: json
default:
tag: openstack.glance.api
path: /var/log/glance/api.log
GlanceImageMemberQuota:
default: 128
description: |
Maximum number of image members per image.
Negative values evaluate to unlimited.
type: number
EnableInternalTLS:
type: boolean
default: false
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
GlanceNotifierStrategy:
description: Strategy to use for Glance notification queue
type: string
default: noop
GlanceLogFile:
description: The filepath of the file to use for logging messages from Glance.
type: string
default: ''
GlanceBackend:
default: swift
description: The short name of the Glance backend to use. Should be one
of swift, rbd, cinder, or file
type: string
constraints:
- allowed_values: ['swift', 'file', 'rbd', 'cinder']
GlanceNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', mount NFS share for image storage.
type: boolean
GlanceNfsShare:
default: ''
description: >
NFS share to mount for image storage (when GlanceNfsEnabled is true)
type: string
GlanceNetappNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
type: boolean
NetappShareLocation:
default: ''
description: >
Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
type: string
GlanceNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
description: >
NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string
GlanceRbdPoolName:
default: images
type: string
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
GlanceShowMultipleLocations:
default: false
description: |
Whether to show multiple image locations e.g for copy-on-write support on
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
type: boolean
GlanceEnabledImportMethods:
default: 'web-download'
description: >
List of enabled Image Import Methods. Valid values in the list are
'glance-direct' and 'web-download'
type: comma_delimited_list
GlanceStagingNfsShare:
default: ''
description: >
NFS share to mount for image import staging
type: string
GlanceNodeStagingUri:
default: 'file:///var/lib/glance/staging'
description: >
URI that specifies the staging location to use when importing images
type: string
GlanceStagingNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
description: >
NFS mount options for NFS image import staging
type: string
RabbitPassword:
description: The password for RabbitMQ
type: string
hidden: true
RabbitUserName:
default: guest
description: The username for RabbitMQ
type: string
RabbitClientPort:
default: 5672
description: Set rabbit subscriber port, change this if using SSL
type: number
RabbitClientUseSSL:
default: false
description: >
Rabbit client subscriber parameter to specify
an SSL connection to the RabbitMQ host.
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
GlanceApiPolicies:
description: |
A hash of policies to configure for Glance API.
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
constraints:
- allowed_values: [ 'messagingv2', 'noop' ]
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
service_debug_unset: {equals : [{get_param: GlanceDebug}, '']}
cinder_backend_enabled: {equals: [{get_param: GlanceBackend}, cinder]}
glance_multiple_locations:
or:
- {equals : [{get_param: GlanceShowMultipleLocations}, true]}
- and:
# Keep this for compat, but ignore NovaEnableRbdBackend if it's a role param
- equals:
- get_param: GlanceBackend
- rbd
- equals:
- get_param: NovaEnableRbdBackend
- true
resources:
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Glance API role.
value:
service_name: glance_api
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
- get_attr: [TLSProxyBase, role_data, config_settings]
- glance::api::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: glance
password: {get_param: GlancePassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /glance
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false
glance::api::enable_v2_api: true
glance::api::authtoken::password: {get_param: GlancePassword}
glance::api::enable_proxy_headers_parsing: true
glance::api::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: GlanceDebug }
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
glance::api::authtoken::user_domain_name: 'Default'
glance::api::authtoken::project_domain_name: 'Default'
glance::api::pipeline: 'keystone'
glance::api::show_image_direct_url: true
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
glance::api::os_region_name: {get_param: KeystoneRegion}
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_port:
get_param: [EndpointMap, GlanceInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLs
# proxy in front.
glance::api::bind_host:
if:
- use_tls_proxy
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
glance_log_file: {get_param: GlanceLogFile}
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
glance::backend::swift::swift_store_user: service:glance
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
glance::backend::swift::swift_store_create_container_on_put: true
glance::backend::swift::swift_store_auth_version: 3
glance::backend::rbd::rbd_store_ceph_conf:
list_join:
- ''
- - '/etc/ceph/'
- {get_param: CephClusterName}
- '.conf'
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
glance_backend: {get_param: GlanceBackend}
glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver}
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
-
if:
- glance_workers_unset
- {}
- glance::api::workers: {get_param: GlanceWorkers}
-
if:
- cinder_backend_enabled
- glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
glance::backend::cinder::cinder_store_project_name: 'service'
glance::backend::cinder::cinder_store_user_name: 'glance'
glance::backend::cinder::cinder_store_password: {get_param: GlancePassword}
- {}
service_config_settings:
fluentd:
tripleo_fluentd_groups_glance_api:
- glance
tripleo_fluentd_sources_glance_api:
- {get_param: GlanceApiLoggingSource}
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
glance::keystone::auth::region: {get_param: KeystoneRegion}
glance::keystone::auth::tenant: 'service'
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
step_config: |
include ::tripleo::profile::base::glance::api
host_prep_tasks:
- name: Mount Netapp NFS
vars:
netapp_nfs_backend_enable: {get_param: GlanceNetappNfsEnabled}
block:
- name:
set_fact:
remote_file_path: /etc/glance/glance-metadata-file.conf
- name:
file:
path: "{{ remote_file_path }}"
state: touch
- stat: path="{{ remote_file_path }}"
register: file_path
- copy:
content: {"share_location" : "{{item.NETAPP_SHARE}}", "mount_point" : "/var/lib/glance/images", "type" : "nfs",}
dest: "{{ remote_file_path }}"
with_items:
- NETAPP_SHARE: {get_param: NetappShareLocation}
when:
- file_path.stat.exists == true
- name:
mount: name=/var/lib/glance/images src="{{item.NETAPP_SHARE}}" fstype=nfs4 opts="{{item.NFS_OPTIONS}}" state=mounted
with_items:
- NETAPP_SHARE: {get_param: NetappShareLocation}
NFS_OPTIONS: {get_param: GlanceNfsOptions}
when: netapp_nfs_backend_enable
- name: Mount Node Staging Location
vars:
glance_node_staging_uri: {get_param: GlanceNodeStagingUri}
glance_staging_nfs_share: {get_param: GlanceStagingNfsShare}
glance_nfs_options: {get_param: GlanceStagingNfsOptions}
# Gleaning mount point by stripping "file://" prefix from staging uri
mount: name="{{glance_node_staging_uri[7:]}}" src="{{glance_staging_nfs_share}}" fstype=nfs opts="{{glance_nfs_options}}" state=mounted
when: glance_staging_nfs_share != ''
upgrade_tasks:
- name: Check if glance_api is deployed
command: systemctl is-enabled openstack-glance-api
tags: common
ignore_errors: True
register: glance_api_enabled
#(TODO) Remove all glance-registry bits in Pike.
- name: Check if glance_registry is deployed
command: systemctl is-enabled openstack-glance-registry
tags: common
ignore_errors: True
register: glance_registry_enabled
- name: "PreUpgrade step0,validation: Check service openstack-glance-api is running"
shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b'
tags: validation
when:
- step|int == 0
- glance_api_enabled.rc == 0
- name: Stop glance_api service
when:
- step|int == 1
- glance_api_enabled.rc == 0
service: name=openstack-glance-api state=stopped
- name: Stop and disable glance registry (removed for Ocata)
when:
- step|int == 1
- glance_registry_enabled.rc == 0
service: name=openstack-glance-registry state=stopped enabled=no
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]