tripleo-heat-templates/environments/undercloud.yaml

parameter_merge_strategies:
  default: overwrite
  UndercloudExtraConfig: deep_merge

resource_registry:
  OS::TripleO::Services::Tmpwatch: ../deployment/logrotate/tmpwatch-install.yaml
  OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/noop.yaml
  OS::TripleO::Network::Ports::OVNDBsVipPort: ../network/ports/noop.yaml
  OS::TripleO::Network::Ports::ControlPlaneVipPort: ../deployed-server/deployed-neutron-port.yaml
  OS::TripleO::Undercloud::Net::SoftwareConfig: ../net-config-undercloud.yaml
  OS::TripleO::NodeExtraConfigPost: ../extraconfig/post_deploy/undercloud_post.yaml
  OS::TripleO::Services::DockerRegistry: ../deployment/image-serve/image-serve-baremetal-ansible.yaml
  OS::TripleO::Services::ContainerImagePrepare: ../deployment/container-image-prepare/container-image-prepare-baremetal-ansible.yaml
  # Allows us to control the external VIP for Undercloud SSL
  OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_from_pool.yaml

  OS::TripleO::Services::ComputeNeutronOvsAgent: ../deployment/neutron/neutron-ovs-agent-container-puppet.yaml
  OS::TripleO::Services::NeutronOvsAgent: ../deployment/neutron/neutron-ovs-agent-container-puppet.yaml
  OS::TripleO::Services::NeutronDhcpAgent: ../deployment/neutron/neutron-dhcp-container-puppet.yaml
  OS::TripleO::Services::NeutronL3Agent: ../deployment/neutron/neutron-l3-container-puppet.yaml
  OS::TripleO::Services::NeutronCorePlugin: ../deployment/neutron/neutron-plugin-ml2-container-puppet.yaml
  OS::TripleO::Docker::NeutronMl2PluginBase: ../deployment/neutron/neutron-plugin-ml2.yaml

  OS::TripleO::Services::OpenStackClients: ../deployment/clients/openstack-clients-baremetal-puppet.yaml

  # services we disable by default on the undercloud
  OS::TripleO::Services::AodhApi: OS::Heat::None
  OS::TripleO::Services::AodhEvaluator: OS::Heat::None
  OS::TripleO::Services::AodhNotifier: OS::Heat::None
  OS::TripleO::Services::AodhListener: OS::Heat::None
  OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None
  OS::TripleO::Services::CeilometerAgentNotification: OS::Heat::None
  OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None
  OS::TripleO::Services::GnocchiApi: OS::Heat::None
  OS::TripleO::Services::GnocchiMetricd: OS::Heat::None
  OS::TripleO::Services::GnocchiStatsd: OS::Heat::None
  OS::TripleO::Services::Redis: OS::Heat::None
  OS::TripleO::Services::CinderApi: OS::Heat::None
  OS::TripleO::Services::CinderScheduler: OS::Heat::None
  OS::TripleO::Services::CinderVolume: OS::Heat::None
  OS::TripleO::Services::HeatApiCfn: OS::Heat::None
  OS::TripleO::Services::NovaMetadata: OS::Heat::None
  OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None

  # Services we don't ever want configured. See LP#1824030
  OS::TripleO::Services::Pacemaker: OS::Heat::None
  OS::TripleO::Services::PacemakerRemote: OS::Heat::None
  OS::TripleO::Services::Clustercheck: OS::Heat::None

  # Ensure non-pacemaker versions. See LP#1824030
  # CinderVolume is set to None above and OVNdbs is currently not in the list in role_data_undercloud.yaml so
  # avoiding that as well until the UC switches to OVN
  OS::TripleO::Services::MySQL: ../deployment/database/mysql-container-puppet.yaml
  OS::TripleO::Services::OsloMessagingRpc: ../deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
  OS::TripleO::Services::OsloMessagingNotify: ../deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml

  # Enable Podman on the Undercloud.
  # This line will drop in Stein when it becomes the default.
  OS::TripleO::Services::Podman: ../deployment/podman/podman-baremetal-ansible.yaml

  # Undercloud HA services
  OS::TripleO::Services::HAproxy: OS::Heat::None
  OS::TripleO::Services::Keepalived: OS::Heat::None

parameter_defaults:
  # ensure we enable ip_forward before docker gets run
  KernelIpForward: 1
  KernelIpNonLocalBind: 1
  KeystoneCorsAllowedOrigin: '*'
  KeystoneEnableMember: true
  # Increase the Token expiration time until we fix the actual session bug:
  # https://bugs.launchpad.net/tripleo/+bug/1761050
  TokenExpiration: 14400
  EnablePackageInstall: true
  StackAction: CREATE
  NeutronTunnelTypes: []
  NeutronBridgeMappings: ctlplane:br-ctlplane
  NeutronAgentExtensions: []
  NeutronFlatNetworks: '*'
  NovaSchedulerAvailableFilters: 'tripleo_common.filters.list.tripleo_filters'
  NovaSchedulerDefaultFilters: ['RetryFilter', 'TripleOCapabilitiesFilter', 'ComputeCapabilitiesFilter', 'AvailabilityZoneFilter', 'ComputeFilter', 'ImagePropertiesFilter', 'ServerGroupAntiAffinityFilter', 'ServerGroupAffinityFilter']
  NovaSchedulerMaxAttempts: 30
  # Disable compute auto disabling:
  # As part of Pike, nova introduced a change to have the nova-compute
  # process automatically disable the nova-compute instance in the case of
  # consecutive build failures. This can lead to odd errors when deploying
  # the ironic nodes on the undercloud as you end up with a ComputeFilter
  # error. This parameter disables this functionality for the undercloud since
  # we do not want the nova-compute instance running on the undercloud for
  # Ironic to be disabled in the case of multiple deployment failures.
  NovaAutoDisabling: '0'
  NovaCorsAllowedOrigin: '*'
  NovaSyncPowerStateInterval: -1
  NeutronDhcpAgentsPerNetwork: 2
  HeatConvergenceEngine: true
  HeatCorsAllowedOrigin: '*'
  HeatMaxNestedStackDepth: 7
  HeatMaxResourcesPerStack: -1
  HeatMaxJsonBodySize: 4194304
  HeatReauthenticationAuthMethod: 'trusts'
  HeatYaqlLimitIterators: 10000
  # Disable non-lifecycle stack actions like
  # snapshot, resume, cancel update and stack check.
  HeatApiPolicies:
    heat-deny-action:
      key: 'actions:action'
      value: 'rule:deny_everybody'
  IronicCleaningDiskErase: 'metadata'
  IronicCorsAllowedOrigin: '*'
  IronicDefaultInspectInterface: 'inspector'
  IronicDefaultResourceClass: 'baremetal'
  IronicEnabledHardwareTypes: ['ipmi', 'redfish', 'idrac', 'ilo']
  IronicEnabledBootInterfaces: ['pxe', 'ilo-pxe']
  IronicEnabledConsoleInterfaces: ['ipmitool-socat', 'ilo', 'no-console']
  IronicEnabledDeployInterfaces: ['iscsi', 'direct', 'ansible']
  IronicEnabledInspectInterfaces: ['inspector', 'no-inspect']
  IronicEnabledManagementInterfaces: ['ipmitool', 'redfish', 'idrac', 'ilo']
  # NOTE(dtantsur): disabling advanced networking as it's not used (or
  # configured) in the undercloud
  IronicEnabledNetworkInterfaces: ['flat']
  IronicEnabledPowerInterfaces: ['ipmitool', 'redfish', 'idrac', 'ilo']
  # NOTE(dtantsur): disabling the "agent" RAID as our ramdisk does not contain
  # any vendor-specific RAID additions.
  IronicEnabledRaidInterfaces: ['no-raid']
  # NOTE(dtantsur): we don't use boot-from-cinder on the undercloud
  IronicEnabledStorageInterfaces: ['noop']
  IronicEnabledVendorInterfaces: ['ipmitool', 'idrac', 'no-vendor']
  IronicEnableStagingDrivers: true
  IronicCleaningNetwork: 'ctlplane'
  IronicForcePowerStateDuringSync: false
  IronicInspectorCollectors: default,extra-hardware,numa-topology,logs
  IronicInspectorInterface: br-ctlplane
  # IronicInspectorSubnets:
  #   - ip_range: '192.168.24.100,192.168.24.200'
  IronicProvisioningNetwork: 'ctlplane'
  IronicRescuingNetwork: 'ctlplane'
  ZaqarMessageStore: 'swift'
  ZaqarManagementStore: 'sqlalchemy'
  MistralCorsAllowedOrigin: '*'
  MistralExecutionFieldSizeLimit: 16384
  MistralExecutorVolumes:
    - /var/lib/config-data/nova/etc/nova:/etc/nova:ro
  NeutronServicePlugins: router,segments
  NeutronMechanismDrivers: ['openvswitch', 'baremetal']
  NeutronNetworkVLANRanges: 'physnet1:1000:2999'
  NeutronPluginExtensions: 'port_security'
  NeutronFirewallDriver: ''
  NeutronNetworkType: ['local','flat','vlan','gre','vxlan']
  NeutronTunnelIdRanges: '20:100'
  NeutronTypeDrivers: ['local','flat','vlan','gre','vxlan']
  NeutronVniRanges: '10:100'
  NeutronEnableDVR: false
  NeutronPortQuota: '-1'
  # This allows MTU > 1500 for the overcloud if local_mtu is set to 1500
  # See LP#1826729
  TenantNetPhysnetMtu: 0
  SwiftCorsAllowedOrigin: '*'
  SwiftReplicas: 1
  SwiftWorkers: 2
  SwiftAccountWorkers: 2
  SwiftContainerWorkers: 2
  SwiftObjectWorkers: 2
  # A list of static routes for the control plane network. Ensure traffic to
  # nodes on remote control plane networks use the correct network path.
  # Example:
  #   ControlPlaneStaticRoutes:
  #     - ip_netmask: 192.168.25.0/24
  #       next_hop: 192.168.24.1
  #     - ip_netmask: 192.168.26.0/24
  #       next_hop: 192.168.24.1
  ControlPlaneStaticRoutes: []
  # A dictionary of Undercloud ctlplane subnets.
  # NOTE(hjensas): This should be {} in this environment file, otherwise it may
  # results in values set here being merged with the values set in
  # undercloud.conf. See Bug: https://bugs.launchpad.net/tripleo/+bug/1820330
  # Example:
  #   UndercloudCtlplaneSubnets:
  #     ctlplane-subnet:
  #       NetworkCidr: '192.168.24.0/24'
  #       NetworkGateway: '192.168.24.1'
  #       DhcpRangeStart: '192.168.24.5'
  #       DhcpRangeEnd: '192.168.24.24'
  #       HostRoutes:
  #         - {'destination': '10.10.10.0/24', 'nexthop': '192.168.24.254'}
  UndercloudCtlplaneSubnets: {}
  UndercloudCtlplaneLocalSubnet: 'ctlplane-subnet'
  MistralDockerGroup: true
  PasswordAuthentication: 'yes'
  HeatEngineOptVolumes:
    - /usr/lib/heat:/usr/lib/heat:ro
  MySQLServerOptions:
    mysqld:
      connect_timeout: 60
  # TODO(emilien) Remove when Keepalived 2.0.6 is out
  # https://bugs.launchpad.net/tripleo/+bug/1791238
  KeepalivedRestart: true
  SshFirewallAllowAll: true
  UndercloudExtraConfig:
    aodh::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    barbican::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    ceilometer::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    cinder::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    congress::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    ec2api::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    glance::api::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    gnocchi::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    heat::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    heat::cache::memcache_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    horizon::cache_server_ip: "%{hiera('memcached::listen_ip_uri')}:11211"
    ironic::api::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    ironic::inspector::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    keystone::cache_memcache_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    keystone::cache_backend: "dogpile.cache.memcached"
    manila::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    mistral::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    neutron::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    nova::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    nova::cache::memcache_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    nova::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    sahara::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    swift::proxy::authtoken::memcache_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    swift::proxy::cache::memcache_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    tacker::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    zaqar::keystone::authtoken::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"
    swift::objectexpirer::memcached_servers: "%{hiera('memcached::listen_ip_uri')}:11211"