43edc49a04
Previously we were setting glance::api::show_multiple_locations from the CephBase resource but this seems unnecessary as the GlanceApi resource can consume the parameters needed to set the value. Change-Id: I0a7d8cb19a86b96d6196dad453970b4e56c5fe7e
291 lines
12 KiB
YAML
291 lines
12 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
OpenStack Glance API service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
Debug:
|
|
default: ''
|
|
description: Set to True to enable debugging on all services.
|
|
type: string
|
|
GlanceDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging Glance service.
|
|
type: string
|
|
GlancePassword:
|
|
description: The password for the glance service and db account, used by the glance services.
|
|
type: string
|
|
hidden: true
|
|
GlanceWorkers:
|
|
default: ''
|
|
description: |
|
|
Number of API worker processes for Glance. If left unset (empty string), the
|
|
default value will result in the configuration being left unset and a
|
|
system-dependent default value will be chosen (e.g.: number of
|
|
processors). Please note that this will create a large number of
|
|
processes on systems with a large number of CPUs resulting in excess
|
|
memory consumption. It is recommended that a suitable non-default value
|
|
be selected on such systems.
|
|
type: string
|
|
MonitoringSubscriptionGlanceApi:
|
|
default: 'overcloud-glance-api'
|
|
type: string
|
|
GlanceApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.glance.api
|
|
path: /var/log/glance/api.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
CephClientUserName:
|
|
default: openstack
|
|
type: string
|
|
GlanceNotifierStrategy:
|
|
description: Strategy to use for Glance notification queue
|
|
type: string
|
|
default: noop
|
|
GlanceLogFile:
|
|
description: The filepath of the file to use for logging messages from Glance.
|
|
type: string
|
|
default: ''
|
|
GlanceBackend:
|
|
default: swift
|
|
description: The short name of the Glance backend to use. Should be one
|
|
of swift, rbd, or file
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['swift', 'file', 'rbd']
|
|
GlanceNfsEnabled:
|
|
default: false
|
|
description: >
|
|
When using GlanceBackend 'file', mount NFS share for image storage.
|
|
type: boolean
|
|
GlanceNfsShare:
|
|
default: ''
|
|
description: >
|
|
NFS share to mount for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceNfsOptions:
|
|
default: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
|
|
description: >
|
|
NFS mount options for image storage (when GlanceNfsEnabled is true)
|
|
type: string
|
|
GlanceRbdPoolName:
|
|
default: images
|
|
type: string
|
|
NovaEnableRbdBackend:
|
|
default: false
|
|
description: Whether to enable or not the Rbd backend for Nova
|
|
type: boolean
|
|
RabbitPassword:
|
|
description: The password for RabbitMQ
|
|
type: string
|
|
hidden: true
|
|
RabbitUserName:
|
|
default: guest
|
|
description: The username for RabbitMQ
|
|
type: string
|
|
RabbitClientPort:
|
|
default: 5672
|
|
description: Set rabbit subscriber port, change this if using SSL
|
|
type: number
|
|
RabbitClientUseSSL:
|
|
default: false
|
|
description: >
|
|
Rabbit client subscriber parameter to specify
|
|
an SSL connection to the RabbitMQ host.
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
GlanceApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Glance API.
|
|
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
|
|
conditions:
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
|
|
service_debug_unset: {equals : [{get_param: GlanceDebug}, '']}
|
|
glance_multiple_locations:
|
|
and:
|
|
- equals:
|
|
- get_param: GlanceBackend
|
|
- rbd
|
|
- equals:
|
|
- get_param: NovaEnableRbdBackend
|
|
- true
|
|
|
|
resources:
|
|
|
|
TLSProxyBase:
|
|
type: OS::TripleO::Services::TLSProxyBase
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Glance API role.
|
|
value:
|
|
service_name: glance_api
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
|
logging_source: {get_param: GlanceApiLoggingSource}
|
|
logging_groups:
|
|
- glance
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [TLSProxyBase, role_data, config_settings]
|
|
- glance::api::database_connection:
|
|
make_url:
|
|
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
|
username: glance
|
|
password: {get_param: GlancePassword}
|
|
host: {get_param: [EndpointMap, MysqlInternal, host]}
|
|
path: /glance
|
|
query:
|
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
|
read_default_group: tripleo
|
|
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
|
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
glance::api::enable_v1_api: false
|
|
glance::api::enable_v2_api: true
|
|
glance::api::authtoken::password: {get_param: GlancePassword}
|
|
glance::api::enable_proxy_headers_parsing: true
|
|
glance::api::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug }
|
|
- {get_param: GlanceDebug }
|
|
glance::policy::policies: {get_param: GlanceApiPolicies}
|
|
tripleo.glance_api.firewall_rules:
|
|
'112 glance_api':
|
|
dport:
|
|
- 9292
|
|
- 13292
|
|
glance::api::authtoken::project_name: 'service'
|
|
glance::keystone::authtoken::user_domain_name: 'Default'
|
|
glance::keystone::authtoken::project_domain_name: 'Default'
|
|
glance::api::pipeline: 'keystone'
|
|
glance::api::show_image_direct_url: true
|
|
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
|
|
get_param: [ServiceNetMap, GlanceApiNetwork]
|
|
tripleo::profile::base::glance::api::tls_proxy_fqdn:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
tripleo::profile::base::glance::api::tls_proxy_port:
|
|
get_param: [EndpointMap, GlanceInternal, port]
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
|
# proxy in front.
|
|
glance::api::bind_host:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
|
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
|
|
glance_log_file: {get_param: GlanceLogFile}
|
|
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
|
|
glance::backend::swift::swift_store_user: service:glance
|
|
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
|
|
glance::backend::swift::swift_store_create_container_on_put: true
|
|
glance::backend::swift::swift_store_auth_version: 3
|
|
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
|
|
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
|
|
glance_backend: {get_param: GlanceBackend}
|
|
glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName}
|
|
glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort}
|
|
glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword}
|
|
glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
|
glance::notify::rabbitmq::notification_driver: messagingv2
|
|
tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled}
|
|
tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare}
|
|
tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions}
|
|
-
|
|
if:
|
|
- glance_workers_unset
|
|
- {}
|
|
- glance::api::workers: {get_param: GlanceWorkers}
|
|
service_config_settings:
|
|
keystone:
|
|
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
|
|
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
|
|
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
|
|
glance::keystone::auth::password: {get_param: GlancePassword }
|
|
glance::keystone::auth::region: {get_param: KeystoneRegion}
|
|
glance::keystone::auth::tenant: 'service'
|
|
mysql:
|
|
glance::db::mysql::password: {get_param: GlancePassword}
|
|
glance::db::mysql::user: glance
|
|
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
|
|
glance::db::mysql::dbname: glance
|
|
glance::db::mysql::allowed_hosts:
|
|
- '%'
|
|
- "%{hiera('mysql_bind_host')}"
|
|
step_config: |
|
|
include ::tripleo::profile::base::glance::api
|
|
upgrade_tasks:
|
|
- name: Check if glance_api is deployed
|
|
command: systemctl is-enabled openstack-glance-api
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_api_enabled
|
|
#(TODO) Remove all glance-registry bits in Pike.
|
|
- name: Check if glance_registry is deployed
|
|
command: systemctl is-enabled openstack-glance-registry
|
|
tags: common
|
|
ignore_errors: True
|
|
register: glance_registry_enabled
|
|
- name: "PreUpgrade step0,validation: Check service openstack-glance-api is running"
|
|
shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b'
|
|
tags: step0,validation
|
|
when: glance_api_enabled.rc == 0
|
|
- name: Stop glance_api service
|
|
tags: step1
|
|
when: glance_api_enabled.rc == 0
|
|
service: name=openstack-glance-api state=stopped
|
|
- name: Stop and disable glance registry (removed for Ocata)
|
|
tags: step1
|
|
when: glance_registry_enabled.rc == 0
|
|
service: name=openstack-glance-registry state=stopped enabled=no
|