openstack/tripleo-heat-templates
Code Issues Proposed changes
d18c6e9283
tripleo-heat-templates/deployment/nova/nova-compute-common-container-puppet.yaml
Oliver Walsh a2a6ddab59 Refactor nova db config 
It is best to avoid placing db creds on the compute nodes to limit the
exposure if an attacker succeeds in gaining access to the hypervisor
host.

Related patches in puppet-nova remove the credentials from nova.conf
however the current scope of db credential hieradata is all nova tripleo
services - so it will but written to the hieradata keys on compute
nodes.

This patch refactors the nova hieradata structure, splitting the
nova-api/nova database hieradata out into individual templates and
selectively including only where necessary, ensuring we have no db
creds on a compute node (unless it is an all-in-one api+compute node).

Conflicts:
	deployment/nova/nova-manager-container-puppet.yaml
        deployment/nova/nova-compute-common-container-puppet.yaml

Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
Closes-bug: #1871482
(cherry picked from commit 9d82364de8)
2021-01-04 16:07:52 -05:00

93 lines
3.5 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Contains a static list of common things necessary for nova-compute containers
parameters:
# Required parameters
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
NovaAdditionalCell:
default: false
description: Whether this is an cell additional to the default cell.
type: boolean
outputs:
container_config_scripts:
description: Shared docker config scripts
value:
nova_statedir_ownership.py:
mode: "0700"
content: { get_file: ../../container_config_scripts/nova_statedir_ownership.py }
nova_wait_for_compute_service.py:
mode: "0755"
content: { get_file: ../../container_config_scripts/nova_wait_for_compute_service.py }
nova_compute_common_deploy_steps_tasks:
description: Common host prep tasks for nova-compute services (compute + ironic)
# Runs as external_post_deploy_tasks
value: &nova_compute_common_deploy_steps_tasks
- block:
- name: is additonal Cell?
set_fact:
nova_additional_cell: {get_param: NovaAdditionalCell}
- name: check if discover hosts is required
when:
- not nova_additional_cell|bool
- nova_cellv2_discovery_done is not defined
block:
- name: discover via nova_manager?
set_fact:
nova_cellv2_discovery_delegate_host: "{{ groups['nova_manager'][0] }}"
nova_cellv2_discovery_container: nova_manager
when:
- groups['nova_manager'] is defined and (groups['nova_manager']|length>0)
- name: discover via nova_api?
set_fact:
nova_cellv2_discovery_delegate_host: "{{ groups['nova_api'][0] }}"
nova_cellv2_discovery_container: nova_api
when:
- nova_cellv2_discovery_delegate_host is not defined
- groups['nova_api'] is defined and (groups['nova_api']|length>0)
- name: Warn if no discovery host available
fail:
msg: 'No hosts available to run nova cell_v2 host discovery.'
ignore_errors: yes
when:
- nova_cellv2_discovery_delegate_host is not defined
- name: Discovering nova hosts
command: "{{ container_cli }} exec {{ nova_cellv2_discovery_container }} nova-manage cell_v2 discover_hosts --by-service"
become: true
changed_when: false
delegate_to: '{{ nova_cellv2_discovery_delegate_host }}'
when:
- nova_cellv2_discovery_delegate_host is defined
# Could be included multiple times so ensure it only runs once
- set_fact:
nova_cellv2_discovery_done: true
View Git Blame Copy Permalink