openstack/tripleo-heat-templates
Code Issues Proposed changes
b290995598
tripleo-heat-templates/deployment/rabbitmq/rabbitmq-container-puppet.yaml
John Eckersberg 938166b93b Don't set RABBITMQ_SERVER_ERL_ARGS 
From the RabbitMQ docs[1]:

"RABBITMQ_SERVER_ERL_ARGS - Standard parameters for the erl command
used when invoking the RabbitMQ Server. This should be overridden for
debugging purposes only. Overriding this variable replaces the default
value."

We do not need any of the current values because of this commit from
2015 in rabbitmq 3.5.4:

5c3c0e6f38

In which the "+K true" and "-kernel inet_default_connect_options
"[{nodelay,true}]" options were hard-coded to the rabbitmq-server
script.  Meanwhile the "+P 1048576" configuration was moved to the
rabbitmq-env script under the SERVER_ERL_ARGS variable, which is the
defaults used when RABBITMQ_SERVER_ERL_ARGS is unset.

[1] https://www.rabbitmq.com/configure.html#supported-environment-variables

Let's also move the current RabbitAdditionalErlArgs to a new dedicated
override hiera key.

NB: To get this properly working we need a puppet-rabbitmq that contains
    https://github.com/voxpupuli/puppet-rabbitmq/pull/841
Depends-On: I3bf244a70538209773804eb85fae6be035c587f4

Closes-Bug: #1884922

Change-Id: I567839785a72813a382a00253562894e19eb6715
2020-07-06 17:55:58 +00:00

367 lines
14 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Rabbitmq service
parameters:
ContainerRabbitmqImage:
description: image
type: string
ContainerRabbitmqConfigImage:
description: The container image to use for the rabbitmq config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
RabbitCookie:
type: string
default: ''
hidden: true
EnableInternalTLS:
type: boolean
default: false
RabbitUserName:
default: guest
description: The username for RabbitMQ
type: string
RabbitPassword:
description: The password for RabbitMQ
type: string
hidden: true
RabbitFDLimit:
default: 65536
description: Configures RabbitMQ FD limit
type: number
RabbitIPv6:
default: false
description: Enable IPv6 in RabbitMQ
type: boolean
RabbitHAQueues:
description:
The number of HA queues to be configured in rabbit. The default is -1 which
translates to "ha-mode all". The special value 0 will be automatically
overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.
default: 0
type: number
RabbitNetTickTime:
description:
The number of seconds to configure the value of the erlang
net_ticktime kernel variable.
default: 15
type: number
RabbitAdditionalErlArgs:
description:
Additional parameters passed to the Erlang subsystem. The string
needs to be enclosed in quotes twice. We default to +sbwt none
in order to have the erlang vm be less busy on spinlocks, but
we allow a simple way of overriding it.
default: "'+sbwt none'"
type: string
MonitoringSubscriptionRabbitmq:
default: 'overcloud-rabbitmq'
type: string
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- RabbitIPv6
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
- 6
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Rabbitmq API role.
value:
service_name: rabbitmq
firewall_rules:
'109 rabbitmq':
dport:
- 4369
- 5672
- 25672
- 25673-25683
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
# RabbitMQ plugins initialization occurs on every node
config_settings:
map_merge:
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {if: [is_ipv6, true, false]}
rabbitmq::delete_guest_user: false
rabbitmq::wipe_db_on_cookie_change: true
rabbitmq::port: 5672
rabbitmq::loopback_users: []
rabbitmq::tcp_backlog: 4096
rabbitmq::package_provider: yum
rabbitmq::package_source: undef
rabbitmq::repos_ensure: false
rabbitmq::tcp_keepalive: true
# https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement)
rabbitmq_environment:
LANG: 'en_US.UTF-8'
LC_ALL: 'en_US.UTF-8'
NODE_PORT: ''
NODE_IP_ADDRESS: ''
RABBITMQ_NODENAME: "rabbit@%{::hostname}"
RABBITMQ_CTL_DIST_PORT_MIN: '25673'
RABBITMQ_CTL_DIST_PORT_MAX: '25683'
'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
tripleo::profile::base::rabbitmq::additional_erl_args: {get_param: RabbitAdditionalErlArgs}
rabbitmq_kernel_variables:
inet_dist_listen_min: '25672'
inet_dist_listen_max: '25672'
net_ticktime: {get_param: RabbitNetTickTime}
rabbitmq_config_variables:
cluster_partition_handling: 'ignore'
queue_master_locator: '<<"min-masters">>'
rabbitmq::erlang_cookie:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: RabbitCookie}
- {get_param: [DefaultPasswords, rabbit_cookie]}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
rabbitmq::interface:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
rabbitmq::ssl: {get_param: EnableInternalTLS}
rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
rabbitmq::ssl_port: 5672
rabbitmq::ssl_depth: 1
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
rabbitmq::ssl_interface:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
rabbitmq::collect_statistics_interval: 30000
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
tripleo::profile::base::rabbitmq::certificate_specs:
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
service_key: '/etc/pki/tls/private/rabbitmq.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
- {}
- rabbitmq::admin_enable: false
rabbitmq::management_enable: true
rabbitmq::use_config_file_for_plugins: true
rabbitmq::management_ip_address: 127.0.0.1
rabbitmq::config_management_variables:
rates_mode: none
- if:
- internal_tls_enabled
- tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here
- {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: rabbitmq
step_config:
list_join:
- "\n"
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
- "include tripleo::profile::base::rabbitmq"
config_image: &rabbitmq_config_image {get_param: ContainerRabbitmqConfigImage}
kolla_config:
/var/lib/kolla/config_files/rabbitmq.json:
command: /usr/lib/rabbitmq/bin/rabbitmq-server
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/rabbitmq
owner: rabbitmq:rabbitmq
recurse: true
- path: /etc/pki/tls/certs/rabbitmq.crt
owner: rabbitmq:rabbitmq
optional: true
- path: /etc/pki/tls/private/rabbitmq.key
owner: rabbitmq:rabbitmq
optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
rabbitmq_init_logs:
start_order: 0
detach: false
image: &rabbitmq_image {get_param: ContainerRabbitmqImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/rabbitmq:/var/log/rabbitmq
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
rabbitmq_bootstrap:
start_order: 1
detach: false
image: *rabbitmq_image
net: host
privileged: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
KOLLA_BOOTSTRAP: true
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
RABBITMQ_CLUSTER_COOKIE:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: RabbitCookie}
- {get_param: [DefaultPasswords, rabbit_cookie]}
rabbitmq:
start_order: 2
image: *rabbitmq_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
container_puppet_tasks:
# RabbitMQ users and policies initialization occurs only on single node
step_2:
config_volume: 'rabbit_init_tasks'
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
step_config: 'include tripleo::profile::base::rabbitmq'
config_image: *rabbitmq_config_image
volumes:
- /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
metadata_settings:
if:
- internal_tls_enabled
-
- service: rabbitmq
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
type: node
- null
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
# TODO: Removal of package
upgrade_tasks: []
update_tasks:
# TODO: Are we sure we want to support this. Rolling update
# without pacemaker may fail. Do we test this ? In any case,
# this is under tripleo_container_manage control so the latest image should be
# pulled in by the deploy steps. Same question for other
# usually managed by pacemaker container.
View Git Blame Copy Permalink