f8e7bf2bba
The undercloud installation sets InternalTLSCAFile to '' when undercloud_service_certificate is set (done via I5d7f35194f98b2d5c06a417cac75d52ff646def0 "undercloud: Disable CA path if user-provided cert is used"). In this case we end up setting rabbitmq::{ssl_cacert,ssl_management_cacert} to '' which then breaks puppet-rabbitmq because it verifies that they are absolute paths. Let's just skip passing them when InternalTLSCAFile is set to empty. Depends-On: I4e9801ba3ced734e5aa3fa22df522fab0e84761a Closes-Bug: #1947776 Change-Id: I16f0fd04e1ae941d09d567eadaeb5bda959099fc
437 lines
18 KiB
YAML
437 lines
18 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Rabbitmq service
|
|
|
|
parameters:
|
|
ContainerRabbitmqImage:
|
|
description: image
|
|
type: string
|
|
ContainerRabbitmqConfigImage:
|
|
description: The container image to use for the rabbitmq config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
RabbitCookie:
|
|
type: string
|
|
default: ''
|
|
hidden: true
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitFDLimit:
|
|
default: 65536
|
|
description: Configures RabbitMQ FD limit
|
|
type: number
|
|
RabbitTCPBacklog:
|
|
default: 4096
|
|
description: Configures RabbitMQ maximum TCP Backlog
|
|
type: number
|
|
RabbitIPv6:
|
|
default: false
|
|
description: Enable IPv6 in RabbitMQ
|
|
type: boolean
|
|
RabbitHAQueues:
|
|
description:
|
|
The number of HA queues to be configured in rabbit. The default is -1 which
|
|
translates to "ha-mode all". The special value 0 will be automatically
|
|
overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.
|
|
default: 0
|
|
type: number
|
|
RabbitNetTickTime:
|
|
description:
|
|
The number of seconds to configure the value of the erlang
|
|
net_ticktime kernel variable.
|
|
default: 15
|
|
type: number
|
|
RabbitAdditionalErlArgs:
|
|
description:
|
|
Additional parameters passed to the Erlang subsystem. The string
|
|
needs to be enclosed in quotes twice. We default to '+sbwt none
|
|
+sbwtdcpu none +sbwtdio none' in order to have the erlang vm be
|
|
less busy on spinlocks, but we allow a simple way of overriding
|
|
it.
|
|
default: "'+sbwt none +sbwtdcpu none +sbwtdio none'"
|
|
type: string
|
|
MonitoringSubscriptionRabbitmq:
|
|
default: 'overcloud-rabbitmq'
|
|
type: string
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
RabbitmqCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
RabbitmqEnableManagementAccess:
|
|
type: boolean
|
|
default: false
|
|
description: Allow access to RabbitMQ management plugin over network
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- RabbitIPv6
|
|
|
|
conditions:
|
|
is_ipv6:
|
|
equals:
|
|
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
|
|
- 6
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
|
rabbitmq_cacert_set:
|
|
not: {equals: [{get_param: InternalTLSCAFile}, '']}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Rabbitmq API role.
|
|
value:
|
|
service_name: rabbitmq
|
|
firewall_rules:
|
|
'109 rabbitmq':
|
|
dport:
|
|
list_concat:
|
|
- - 4369
|
|
- 5672
|
|
- 25672
|
|
- 25673-25683
|
|
- if:
|
|
- {get_param: RabbitmqEnableManagementAccess}
|
|
- - 15672
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
|
|
# RabbitMQ plugins initialization occurs on every node
|
|
config_settings:
|
|
map_merge:
|
|
-
|
|
rabbitmq::file_limit: {get_param: RabbitFDLimit}
|
|
rabbitmq::default_user: {get_param: RabbitUserName}
|
|
rabbitmq::default_pass: {get_param: RabbitPassword}
|
|
rabbit_ipv6: {if: [is_ipv6, true, false]}
|
|
rabbitmq::delete_guest_user: false
|
|
rabbitmq::wipe_db_on_cookie_change: true
|
|
rabbitmq::port: 5672
|
|
rabbitmq::loopback_users: []
|
|
rabbitmq::tcp_backlog: {get_param: RabbitTCPBacklog}
|
|
rabbitmq::repos_ensure: false
|
|
rabbitmq::tcp_keepalive: true
|
|
# https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement)
|
|
rabbitmq_environment:
|
|
LANG: 'en_US.UTF-8'
|
|
LC_ALL: 'en_US.UTF-8'
|
|
NODE_PORT: ''
|
|
NODE_IP_ADDRESS: ''
|
|
RABBITMQ_NODENAME:
|
|
str_replace:
|
|
template:
|
|
"rabbit@%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
RABBITMQ_USE_LONGNAME: 'true'
|
|
RABBITMQ_CTL_DIST_PORT_MIN: '25673'
|
|
RABBITMQ_CTL_DIST_PORT_MAX: '25683'
|
|
'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
|
|
tripleo::profile::base::rabbitmq::additional_erl_args: {get_param: RabbitAdditionalErlArgs}
|
|
rabbitmq_kernel_variables:
|
|
inet_dist_listen_min: '25672'
|
|
inet_dist_listen_max: '25672'
|
|
net_ticktime: {get_param: RabbitNetTickTime}
|
|
rabbitmq_config_variables:
|
|
cluster_partition_handling: 'ignore'
|
|
queue_master_locator: '<<"min-masters">>'
|
|
rabbitmq::config_additional_variables:
|
|
lager: '[{crash_log_count, 0}, { crash_log_date, ""}, { crash_log_size, 0 }]'
|
|
rabbitmq::erlang_cookie: {get_param: RabbitCookie}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
rabbitmq::interface:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
|
|
rabbitmq::ssl: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_port: 5672
|
|
rabbitmq::ssl_depth: 1
|
|
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
|
|
rabbitmq::ssl_interface:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
# TODO(jaosorior): Remove this once we set a proper default in
|
|
# puppet-tripleo
|
|
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
|
|
rabbitmq::collect_statistics_interval: 30000
|
|
rabbitmq::admin_enable: false
|
|
rabbitmq::management_enable: true
|
|
rabbitmq::use_config_file_for_plugins: true
|
|
rabbitmq::management_ip_address:
|
|
if:
|
|
- {get_param: RabbitmqEnableManagementAccess}
|
|
- str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqManagementNetwork]}
|
|
- 127.0.0.1
|
|
rabbitmq::management_port: 15672
|
|
rabbitmq::config_management_variables:
|
|
rates_mode: none
|
|
tripleo::certmonger::rabbitmq::postsave_cmd:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
# Only set CAs then InternalTLSCAFile is not ''
|
|
- if:
|
|
- rabbitmq_cacert_set
|
|
- rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
|
|
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
|
tripleo::profile::base::rabbitmq::certificate_specs:
|
|
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
|
|
service_key: '/etc/pki/tls/private/rabbitmq.key'
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: rabbitmq
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
|
|
- "include tripleo::profile::base::rabbitmq"
|
|
config_image: &rabbitmq_config_image {get_param: ContainerRabbitmqConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/rabbitmq.json:
|
|
command: /usr/lib/rabbitmq/bin/rabbitmq-server
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/rabbitmq
|
|
owner: rabbitmq:rabbitmq
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/rabbitmq.crt
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
- path: /etc/pki/tls/private/rabbitmq.key
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
docker_config:
|
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
|
step_1:
|
|
rabbitmq_init_logs:
|
|
start_order: 0
|
|
detach: false
|
|
image: &rabbitmq_image {get_param: ContainerRabbitmqImage}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
|
|
rabbitmq_bootstrap:
|
|
start_order: 1
|
|
detach: false
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
KOLLA_BOOTSTRAP: true
|
|
# NOTE: this should force this container to re-run on each
|
|
# update (scale-out, etc.)
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
RABBITMQ_CLUSTER_COOKIE: {get_param: RabbitCookie}
|
|
|
|
rabbitmq:
|
|
start_order: 2
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
container_puppet_tasks:
|
|
# RabbitMQ users and policies initialization occurs only on single node
|
|
step_2:
|
|
config_volume: 'rabbit_init_tasks'
|
|
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
|
|
step_config: 'include tripleo::profile::base::rabbitmq'
|
|
config_image: *rabbitmq_config_image
|
|
volumes:
|
|
- /var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - service: rabbitmq
|
|
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
type: node
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: rabbitmq
|
|
dns:
|
|
str_replace:
|
|
template: "{{fqdn_$NETWORK}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
|
run_after: |
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
|
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
|
service_key="/etc/pki/tls/private/rabbitmq.key"
|
|
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
|
# frozen temporarily and that can make pacemaker operation fail.
|
|
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
|
# no need to update the mount point, because pacemaker
|
|
# recreates the container when it's restarted
|
|
else
|
|
# Refresh the cert at the mount-point
|
|
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
|
# Refresh the key at the mount-point
|
|
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
|
# Copy the new cert from the mount-point to the real path
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
|
# Copy the new key from the mount-point to the real path
|
|
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
fi
|
|
# Set appropriate permissions
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
|
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
|
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
|
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: RabbitmqCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
host_prep_tasks:
|
|
- name: creat fcontext entry for rabbitmq data
|
|
community.general.sefcontext:
|
|
target: "/var/lib/rabbitmq(/.*)?"
|
|
setype: container_file_t
|
|
state: present
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
|
|
# TODO: Removal of package
|
|
upgrade_tasks: []
|
|
update_tasks: []
|
|
# TODO: Are we sure we want to support this. Rolling update
|
|
# without pacemaker may fail. Do we test this ? In any case,
|
|
# this is under tripleo_container_manage control so the latest image should be
|
|
# pulled in by the deploy steps. Same question for other
|
|
# usually managed by pacemaker container.
|