Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

379 lines
14 KiB

  1. heat_template_version: rocky
  2. description: >
  3. OpenStack containerized Rabbitmq service
  4. parameters:
  5. DockerRabbitmqImage:
  6. description: image
  7. type: string
  8. DockerRabbitmqConfigImage:
  9. description: The container image to use for the rabbitmq config_volume
  10. type: string
  11. EndpointMap:
  12. default: {}
  13. description: Mapping of service endpoint -> protocol. Typically set
  14. via parameter_defaults in the resource registry.
  15. type: json
  16. ServiceData:
  17. default: {}
  18. description: Dictionary packing service data
  19. type: json
  20. ServiceNetMap:
  21. default: {}
  22. description: Mapping of service_name -> network name. Typically set
  23. via parameter_defaults in the resource registry. This
  24. mapping overrides those in ServiceNetMapDefaults.
  25. type: json
  26. DefaultPasswords:
  27. default: {}
  28. type: json
  29. RoleName:
  30. default: ''
  31. description: Role name on which the service is applied
  32. type: string
  33. RoleParameters:
  34. default: {}
  35. description: Parameters specific to the role
  36. type: json
  37. RabbitCookie:
  38. type: string
  39. default: ''
  40. hidden: true
  41. EnableInternalTLS:
  42. type: boolean
  43. default: false
  44. InternalTLSCAFile:
  45. default: '/etc/ipa/ca.crt'
  46. type: string
  47. description: Specifies the default CA cert to use if TLS is used for
  48. services in the internal network.
  49. RabbitUserName:
  50. default: guest
  51. description: The username for RabbitMQ
  52. type: string
  53. RabbitPassword:
  54. description: The password for RabbitMQ
  55. type: string
  56. hidden: true
  57. RabbitFDLimit:
  58. default: 65536
  59. description: Configures RabbitMQ FD limit
  60. type: number
  61. RabbitIPv6:
  62. default: false
  63. description: Enable IPv6 in RabbitMQ
  64. type: boolean
  65. RabbitCookie:
  66. type: string
  67. default: ''
  68. hidden: true
  69. RabbitHAQueues:
  70. description:
  71. The number of HA queues to be configured in rabbit. The default is -1 which
  72. translates to "ha-mode all". The special value 0 will be automatically
  73. overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.
  74. default: 0
  75. type: number
  76. RabbitNetTickTime:
  77. description:
  78. The number of seconds to configure the value of the erlang
  79. net_ticktime kernel variable.
  80. default: 15
  81. type: number
  82. RabbitAdditionalErlArgs:
  83. description:
  84. Additional parameters passed to the Erlang subsystem. The string
  85. needs to be enclosed in quotes twice. We default to +sbwt none
  86. in order to have the erlang vm be less busy on spinlocks, but
  87. we allow a simple way of overriding it.
  88. default: "'+sbwt none'"
  89. type: string
  90. MonitoringSubscriptionRabbitmq:
  91. default: 'overcloud-rabbitmq'
  92. type: string
  93. conditions:
  94. internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  95. resources:
  96. ContainersCommon:
  97. type: ../containers-common.yaml
  98. outputs:
  99. role_data:
  100. description: Role data for the Rabbitmq API role.
  101. value:
  102. service_name: rabbitmq
  103. monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
  104. # RabbitMQ plugins initialization occurs on every node
  105. config_settings:
  106. map_merge:
  107. -
  108. rabbitmq::file_limit: {get_param: RabbitFDLimit}
  109. rabbitmq::default_user: {get_param: RabbitUserName}
  110. rabbitmq::default_pass: {get_param: RabbitPassword}
  111. rabbit_ipv6: {get_param: RabbitIPv6}
  112. tripleo::rabbitmq::firewall_rules:
  113. '109 rabbitmq':
  114. dport:
  115. - 4369
  116. - 5672
  117. - 25672
  118. rabbitmq::delete_guest_user: false
  119. rabbitmq::wipe_db_on_cookie_change: true
  120. rabbitmq::port: 5672
  121. rabbitmq::loopback_users: []
  122. rabbitmq::tcp_backlog: 4096
  123. rabbitmq::package_provider: yum
  124. rabbitmq::package_source: undef
  125. rabbitmq::repos_ensure: false
  126. rabbitmq::tcp_keepalive: true
  127. # https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement)
  128. rabbitmq_environment:
  129. LANG: 'en_US.UTF-8'
  130. LC_ALL: 'en_US.UTF-8'
  131. NODE_PORT: ''
  132. NODE_IP_ADDRESS: ''
  133. RABBITMQ_NODENAME: "rabbit@%{::hostname}"
  134. RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true}]"'
  135. RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: {get_param: RabbitAdditionalErlArgs}
  136. 'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
  137. rabbitmq_kernel_variables:
  138. inet_dist_listen_min: '25672'
  139. inet_dist_listen_max: '25672'
  140. net_ticktime: {get_param: RabbitNetTickTime}
  141. rabbitmq_config_variables:
  142. cluster_partition_handling: 'ignore'
  143. queue_master_locator: '<<"min-masters">>'
  144. rabbitmq::erlang_cookie:
  145. yaql:
  146. expression: $.data.passwords.where($ != '').first()
  147. data:
  148. passwords:
  149. - {get_param: RabbitCookie}
  150. - {get_param: [DefaultPasswords, rabbit_cookie]}
  151. # NOTE: bind IP is found in hiera replacing the network name with the
  152. # local node IP for the given network; replacement examples
  153. # (eg. for internal_api):
  154. # internal_api -> IP
  155. # internal_api_uri -> [IP]
  156. # internal_api_subnet - > IP/CIDR
  157. rabbitmq::interface:
  158. str_replace:
  159. template:
  160. "%{hiera('$NETWORK')}"
  161. params:
  162. $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
  163. rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
  164. rabbitmq::ssl: {get_param: EnableInternalTLS}
  165. rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
  166. rabbitmq::ssl_port: 5672
  167. rabbitmq::ssl_depth: 1
  168. rabbitmq::ssl_only: {get_param: EnableInternalTLS}
  169. rabbitmq::ssl_interface:
  170. str_replace:
  171. template:
  172. "%{hiera('$NETWORK')}"
  173. params:
  174. $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
  175. # TODO(jaosorior): Remove this once we set a proper default in
  176. # puppet-tripleo
  177. tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
  178. rabbitmq::collect_statistics_interval: 30000
  179. -
  180. if:
  181. - internal_tls_enabled
  182. - generate_service_certificates: true
  183. tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
  184. tripleo::profile::base::rabbitmq::certificate_specs:
  185. service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
  186. service_key: '/etc/pki/tls/private/rabbitmq.key'
  187. hostname:
  188. str_replace:
  189. template: "%{hiera('fqdn_NETWORK')}"
  190. params:
  191. NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
  192. principal:
  193. str_replace:
  194. template: "rabbitmq/%{hiera('fqdn_NETWORK')}"
  195. params:
  196. NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
  197. postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
  198. - {}
  199. - rabbitmq::admin_enable: false
  200. rabbitmq::management_enable: true
  201. rabbitmq::use_config_file_for_plugins: true
  202. rabbitmq::management_ip_address: 127.0.0.1
  203. rabbitmq::config_management_variables:
  204. rates_mode: none
  205. - if:
  206. - internal_tls_enabled
  207. - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here
  208. - {}
  209. # BEGIN DOCKER SETTINGS
  210. puppet_config:
  211. config_volume: rabbitmq
  212. step_config:
  213. list_join:
  214. - "\n"
  215. - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
  216. - "include ::tripleo::profile::base::rabbitmq"
  217. config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage}
  218. kolla_config:
  219. /var/lib/kolla/config_files/rabbitmq.json:
  220. command: /usr/lib/rabbitmq/bin/rabbitmq-server
  221. config_files:
  222. - source: "/var/lib/kolla/config_files/src/*"
  223. dest: "/"
  224. merge: true
  225. preserve_properties: true
  226. - source: "/var/lib/kolla/config_files/src-tls/*"
  227. dest: "/"
  228. merge: true
  229. preserve_properties: true
  230. optional: true
  231. permissions:
  232. - path: /var/lib/rabbitmq
  233. owner: rabbitmq:rabbitmq
  234. recurse: true
  235. - path: /etc/pki/tls/certs/rabbitmq.crt
  236. owner: rabbitmq:rabbitmq
  237. optional: true
  238. - path: /etc/pki/tls/private/rabbitmq.key
  239. owner: rabbitmq:rabbitmq
  240. optional: true
  241. docker_config:
  242. # Kolla_bootstrap runs before permissions set by kolla_config
  243. step_1:
  244. rabbitmq_init_logs:
  245. start_order: 0
  246. detach: false
  247. image: &rabbitmq_image {get_param: DockerRabbitmqImage}
  248. net: none
  249. privileged: false
  250. user: root
  251. volumes:
  252. - /var/log/containers/rabbitmq:/var/log/rabbitmq
  253. command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
  254. rabbitmq_bootstrap:
  255. start_order: 1
  256. detach: false
  257. image: *rabbitmq_image
  258. net: host
  259. privileged: false
  260. volumes:
  261. list_concat:
  262. - {get_attr: [ContainersCommon, volumes]}
  263. -
  264. - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
  265. - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
  266. - /var/lib/rabbitmq:/var/lib/rabbitmq
  267. - /var/log/containers/rabbitmq:/var/log/rabbitmq
  268. - if:
  269. - internal_tls_enabled
  270. -
  271. - list_join:
  272. - ':'
  273. - - {get_param: InternalTLSCAFile}
  274. - {get_param: InternalTLSCAFile}
  275. - 'ro'
  276. - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
  277. - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
  278. - null
  279. environment:
  280. - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
  281. - KOLLA_BOOTSTRAP=True
  282. -
  283. list_join:
  284. - '='
  285. - - 'RABBITMQ_CLUSTER_COOKIE'
  286. -
  287. yaql:
  288. expression: $.data.passwords.where($ != '').first()
  289. data:
  290. passwords:
  291. - {get_param: RabbitCookie}
  292. - {get_param: [DefaultPasswords, rabbit_cookie]}
  293. rabbitmq:
  294. start_order: 2
  295. image: *rabbitmq_image
  296. net: host
  297. privileged: false
  298. restart: always
  299. healthcheck:
  300. test: /openstack/healthcheck
  301. volumes:
  302. list_concat:
  303. - {get_attr: [ContainersCommon, volumes]}
  304. -
  305. - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
  306. - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
  307. - /var/lib/rabbitmq:/var/lib/rabbitmq:z
  308. - /var/log/containers/rabbitmq:/var/log/rabbitmq:z
  309. - if:
  310. - internal_tls_enabled
  311. -
  312. - list_join:
  313. - ':'
  314. - - {get_param: InternalTLSCAFile}
  315. - {get_param: InternalTLSCAFile}
  316. - 'ro'
  317. - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
  318. - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
  319. - null
  320. environment:
  321. - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
  322. container_puppet_tasks:
  323. # RabbitMQ users and policies initialization occurs only on single node
  324. step_2:
  325. config_volume: 'rabbit_init_tasks'
  326. puppet_tags: 'rabbitmq_policy,rabbitmq_user'
  327. step_config: 'include ::tripleo::profile::base::rabbitmq'
  328. config_image: *rabbitmq_config_image
  329. volumes:
  330. - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
  331. - /var/lib/rabbitmq:/var/lib/rabbitmq
  332. metadata_settings:
  333. if:
  334. - internal_tls_enabled
  335. -
  336. - service: rabbitmq
  337. network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
  338. type: node
  339. - null
  340. host_prep_tasks:
  341. - name: create persistent directories
  342. file:
  343. path: "{{ item.path }}"
  344. state: directory
  345. setype: "{{ item.setype }}"
  346. with_items:
  347. - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
  348. - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
  349. - { 'path': /var/log/rabbitmq, 'setype': svirt_sandbox_file_t }
  350. - name: rabbitmq logs readme
  351. copy:
  352. dest: /var/log/rabbitmq/readme.txt
  353. content: |
  354. Log files from rabbitmq containers can be found under
  355. /var/log/containers/rabbitmq.
  356. ignore_errors: true
  357. # TODO: Removal of package
  358. upgrade_tasks: []
  359. update_tasks:
  360. # TODO: Are we sure we want to support this. Rolling update
  361. # without pacemaker may fail. Do we test this ? In any case,
  362. # this is under paunch control so the latest image should be
  363. # pulled in by the deploy steps. Same question for other
  364. # usually managed by pacemaker container.
  365. post_upgrade_tasks:
  366. - when: step|int == 1
  367. import_role:
  368. name: tripleo-docker-rm
  369. vars:
  370. containers_to_rm:
  371. - rabbitmq