Refactor manifest execution

Previously, Packstack created many individual manifest files from smaller snippets (templates), and executed them following a certain order. This is sub-optimal, since it forces code duplication and goes against the Puppet design of running a single manifest. This patch refactors the manifest execution, following these principles: - Only 3 templates used, so max 3 Puppet executions on a host: controller manifest, network node manifest, compute node manifest. - The previous snippets are now part of the Packstack Puppet module, and included as needed by the controller/network/compute manifests. This concept is similar to the one used by the puppet-openstack-integration project [1]. - The remaining Python code is left untouched, so we can keep complete compatibility with previous answer files. - Redis HA support has been removed, as this was the only service with HA enabled and didn't fit the general purpose of Packstack. [1] - https://github.com/openstack/puppet-openstack-integration Change-Id: I87591be0fce98079c85c5c12ad76ea7115fb9c75
2016-06-14 17:00:14 +02:00
parent 2380a93e3b
commit 4587b9b4d3
284 changed files with 4524 additions and 4855 deletions
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@@ -1070,32 +1070,12 @@ MONGODB Config parameters
 Redis Config parameters
 -----------------------
-**CONFIG_REDIS_MASTER_HOST**
+**CONFIG_REDIS_HOST**
-    IP address of the server on which to install the Redis master server.
+    IP address of the server on which to install the Redis server.
 **CONFIG_REDIS_PORT**
-    Port on which the Redis server(s) listens.
+    Port on which the Redis server listens.
 **CONFIG_REDIS_HA**
    Specify 'y' to have Redis try to use HA. ['y', 'n']
 **CONFIG_REDIS_SLAVE_HOSTS**
    Hosts on which to install Redis slaves.
 **CONFIG_REDIS_SENTINEL_HOSTS**
    Hosts on which to install Redis sentinel servers.
 **CONFIG_REDIS_SENTINEL_CONTACT_HOST**
    Host to configure as the Redis coordination sentinel.
 **CONFIG_REDIS_SENTINEL_PORT**
    Port on which Redis sentinel servers listen.
 **CONFIG_REDIS_SENTINEL_QUORUM**
    Quorum value for Redis sentinel servers.
 **CONFIG_REDIS_MASTER_NAME**
    Name of the master server watched by the Redis sentinel. ['[a-z]+']
 Aodh Config parameters
 ----------------------
--- a/packstack/modules/ospluginutils.py
+++ b/packstack/modules/ospluginutils.py
@@ -33,7 +33,6 @@ class ManifestFiles(object):
    def __init__(self):
        self.filelist = []
        self.data = {}
        self.global_data = None
    # continuous manifest file that have the same marker can be
    # installed in parallel, if on different servers
@@ -61,15 +60,12 @@ class ManifestFiles(object):
        Write out the manifest data to disk, this should only be called once
        write before the puppet manifests are copied to the various servers
        """
        if not self.global_data:
            with open(os.path.join(PUPPET_TEMPLATE_DIR, "global.pp")) as gfp:
                self.global_data = gfp.read() % controller.CONF
        os.mkdir(basedefs.PUPPET_MANIFEST_DIR, 0o700)
        for fname, data in self.data.items():
            path = os.path.join(basedefs.PUPPET_MANIFEST_DIR, fname)
            fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600)
            with os.fdopen(fd, 'w') as fp:
-                fp.write(self.global_data + data)
+                fp.write(data)
 manifestfiles = ManifestFiles()
@@ -84,10 +80,6 @@ def appendManifestFile(manifest_name, data, marker=''):
    manifestfiles.addFile(manifest_name, marker, data)
 def prependManifestFile(manifest_name, data, marker=''):
    manifestfiles.prependFile(manifest_name, marker, data)
 def generateHieraDataFile():
    os.mkdir(basedefs.HIERADATA_DIR, 0o700)
    with open(HIERA_COMMON_YAML, 'w') as outfile:
@@ -97,11 +89,6 @@ def generateHieraDataFile():
    os.symlink(os.path.basename(HIERA_COMMON_YAML), HIERA_DEFAULTS_YAML)
 def createFirewallResources(hiera_key, default_value='{}'):
    hiera_function = "hiera('%s', %s)" % (hiera_key, default_value)
    return "create_resources(packstack::firewall, %s)\n\n" % hiera_function
 def generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file):
    """
    Wrapper on top of openssl
--- a/packstack/modules/shortcuts.py
+++ b/packstack/modules/shortcuts.py
@@ -1,5 +0,0 @@
 # -*- coding: utf-8 -*-
 def get_mq(config, plugin):
    return plugin + "_%s.pp" % config.get('CONFIG_AMQP_BACKEND')
--- a/packstack/plugins/amqp_002.py
+++ b/packstack/plugins/amqp_002.py
@@ -23,9 +23,6 @@ from packstack.installer import utils
 from packstack.modules.common import filtered_hosts
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- AMQP Packstack Plugin Initialization --------------
@@ -155,7 +152,7 @@ def initConfig(controller):
 def initSequences(controller):
    amqpsteps = [
-        {'title': 'Adding AMQP manifest entries',
+        {'title': 'Preparing AMQP entries',
         'functions': [create_manifest]}
    ]
    controller.addSequence("Installing AMQP", [], [], amqpsteps)
@@ -188,9 +185,6 @@ def create_manifest(config, messages):
        config['CONFIG_AMQP_AUTH_PASSWORD'] = 'guest'
        config['CONFIG_AMQP_AUTH_USER'] = 'guest'
    manifestfile = "%s_amqp.pp" % config['CONFIG_AMQP_HOST']
    manifestdata = getManifestTemplate('amqp')
    if config['CONFIG_IP_VERSION'] == 'ipv6':
        config['CONFIG_AMQP_HOST_URL'] = "[%s]" % config['CONFIG_AMQP_HOST']
    else:
@@ -207,6 +201,3 @@ def create_manifest(config, messages):
        fw_details[key]['ports'] = ['5671', '5672']
        fw_details[key]['proto'] = "tcp"
    config['FIREWALL_AMQP_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_AMQP_RULES')
    appendManifestFile(manifestfile, manifestdata, 'pre')
--- a/packstack/plugins/aodh_810.py
+++ b/packstack/plugins/aodh_810.py
@@ -22,10 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Aodh Packstack Plugin Initialization --------------
@@ -76,10 +72,8 @@ def initSequences(controller):
       controller.CONF['CONFIG_CEILOMETER_INSTALL'] != 'y'):
        return
-    steps = [{'title': 'Adding Aodh manifest entries',
+    steps = [{'title': 'Preparing Aodh entries',
-              'functions': [create_manifest]},
+              'functions': [create_manifest]}]
             {'title': 'Adding Aodh Keystone manifest entries',
              'functions': [create_keystone_manifest]}]
    controller.addSequence("Installing OpenStack Aodh", [], [],
                           steps)
@@ -87,11 +81,6 @@ def initSequences(controller):
 # -------------------------- step functions --------------------------
 def create_manifest(config, messages):
    manifestfile = "%s_aodh.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "aodh"))
    manifestdata += getManifestTemplate("aodh")
    manifestdata += getManifestTemplate("apache_ports")
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_cert_file = config['CONFIG_AODH_SSL_CERT'] = (
            '/etc/pki/tls/certs/ssl_amqp_aodh.crt'
@@ -113,11 +102,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8042']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_AODH_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_AODH_RULES')
    appendManifestFile(manifestfile, manifestdata, 'aodh')
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_aodh")
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/apache_060.py
+++ b/packstack/plugins/apache_060.py
@@ -1,47 +0,0 @@
 # -*- coding: utf-8 -*-
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 # implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """
 Installs and configures Apache for all services using it
 """
 from packstack.installer import utils
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Aodh Packstack Plugin Initialization --------------
 PLUGIN_NAME = "OS-Apache"
 PLUGIN_NAME_COLORED = utils.color_text(PLUGIN_NAME, 'blue')
 def initConfig(controller):
    # No config needed
    return
 def initSequences(controller):
    steps = [{'title': 'Adding Apache manifest entries',
              'functions': [create_manifest]}]
    controller.addSequence("Setting up Apache", [], [],
                           steps)
 # ------------------------- step functions -------------------------
 def create_manifest(config, messages):
    manifestfile = "%s_apache.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("apache")
    appendManifestFile(manifestfile, manifestdata, 'apache')
--- a/packstack/plugins/ceilometer_800.py
+++ b/packstack/plugins/ceilometer_800.py
@@ -22,13 +22,8 @@ from packstack.installer import basedefs
 from packstack.installer import utils
 from packstack.installer import validators
 from packstack.installer import processors
 from packstack.installer.utils import split_hosts
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Ceilometer Packstack Plugin Initialization --------------
@@ -114,18 +109,18 @@ def initConfig(controller):
             "CONDITION": False},
        ],
        "REDIS": [
-            {"CMD_OPTION": "redis-master-host",
+            {"CMD_OPTION": "redis-host",
-             "PROMPT": "Enter the host for the Redis master server",
+             "PROMPT": "Enter the host for the Redis server",
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_ssh],
             "DEFAULT_VALUE": utils.get_localhost_ip(),
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
-             "CONF_NAME": "CONFIG_REDIS_MASTER_HOST",
+             "CONF_NAME": "CONFIG_REDIS_HOST",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False,
-             "DEPRECATES": ["CONFIG_REDIS_HOST"]},
+             "DEPRECATES": ["CONFIG_REDIS_MASTER_HOST"]},
            {"CMD_OPTION": "redis-port",
             "PROMPT": "Enter the port of the redis server(s)",
             "OPTION_LIST": [],
@@ -137,87 +132,6 @@ def initConfig(controller):
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-ha",
             "PROMPT": "Should redis try to use HA?",
             "OPTION_LIST": ["y", "n"],
             "VALIDATORS": [validators.validate_options],
             "DEFAULT_VALUE": "n",
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_HA",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-slaves",
             "PROMPT": "Enter the host for the redis slave servers",
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_multi_ssh],
             "DEFAULT_VALUE": "",
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_SLAVE_HOSTS",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-sentinels",
             "PROMPT": "Enter the host for the redis sentinel servers",
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_multi_ssh],
             "DEFAULT_VALUE": "",
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_SENTINEL_HOSTS",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-sentinel-contact",
             "PROMPT":
                 "Enter the IP address of the coordination redis sentinel",
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_ssh],
             "DEFAULT_VALUE": "",
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_SENTINEL_CONTACT_HOST",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-sentinel-port",
             "PROMPT": ("Enter the port on which the redis sentinel servers"
                        " listen"),
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_port],
             "DEFAULT_VALUE": 26379,
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_SENTINEL_PORT",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-sentinel-quorum",
             "PROMPT": (
                 "Enter the quorum value for the redis sentinel servers"),
             "OPTION_LIST": [],
             "VALIDATORS": [validators.validate_integer],
             "DEFAULT_VALUE": 2,
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_SENTINEL_QUORUM",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
            {"CMD_OPTION": "redis-sentinel-master-name",
             "PROMPT": (
                 "Enter the logical name of the master server"),
             "OPTION_LIST": [r'[a-z]+'],
             "VALIDATORS": [validators.validate_regexp],
             "DEFAULT_VALUE": 'mymaster',
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": False,
             "CONF_NAME": "CONFIG_REDIS_MASTER_NAME",
             "USE_DEFAULT": False,
             "NEED_CONFIRM": False,
             "CONDITION": False},
        ],
    }
    update_params_usage(basedefs.PACKSTACK_DOC, ceilometer_params)
@@ -253,14 +167,12 @@ def initSequences(controller):
    if controller.CONF['CONFIG_CEILOMETER_INSTALL'] != 'y':
        return
-    steps = [{'title': 'Adding MongoDB manifest entries',
+    steps = [{'title': 'Preparing MongoDB entries',
              'functions': [create_mongodb_manifest]},
-             {'title': 'Adding Redis manifest entries',
+             {'title': 'Preparing Redis entries',
              'functions': [create_redis_manifest]},
-             {'title': 'Adding Ceilometer manifest entries',
+             {'title': 'Preparing Ceilometer entries',
-              'functions': [create_manifest]},
+              'functions': [create_manifest]}]
             {'title': 'Adding Ceilometer Keystone manifest entries',
              'functions': [create_keystone_manifest]}]
    controller.addSequence("Installing OpenStack Ceilometer", [], [],
                           steps)
@@ -268,38 +180,6 @@ def initSequences(controller):
 # -------------------------- step functions --------------------------
 def create_manifest(config, messages):
    manifestfile = "%s_ceilometer.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "ceilometer"))
    manifestdata += getManifestTemplate("ceilometer")
    if config['CONFIG_CEILOMETER_SERVICE_NAME'] == 'httpd':
        manifestdata += getManifestTemplate("apache_ports")
    if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis':
        # Determine if we need to configure multiple sentinel hosts as
        # fallbacks for use in coordination url.
        sentinel_hosts = split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS'])
        sentinel_port = config['CONFIG_REDIS_SENTINEL_PORT']
        sentinel_host = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
        if config['CONFIG_IP_VERSION'] == 'ipv6':
            config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = "[%s]" % (
                sentinel_host)
        else:
            config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = sentinel_host
        sentinel_contact = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
        if len(sentinel_hosts) > 1:
            sentinel_format = 'sentinel_fallback=%s:%s'
            if config['CONFIG_IP_VERSION'] == 'ipv6':
                sentinel_format = 'sentinel_fallback=[%s]:%s'
            sentinel_fallbacks = '&'.join([sentinel_format %
                                          (host, sentinel_port)
                                          for host in sentinel_hosts
                                          if host != sentinel_contact])
        else:
            sentinel_fallbacks = ''
        config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
            '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
@@ -321,13 +201,6 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8777']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_CEILOMETER_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_CEILOMETER_RULES')
    # Add a template that creates a group for nova because the ceilometer
    # class needs it
    if config['CONFIG_NOVA_INSTALL'] == 'n':
        manifestdata += getManifestTemplate("ceilometer_nova_disabled")
    appendManifestFile(manifestfile, manifestdata, 'ceilometer')
 def create_mongodb_manifest(config, messages):
@@ -336,8 +209,6 @@ def create_mongodb_manifest(config, messages):
        config['CONFIG_MONGODB_HOST_URL'] = "[%s]" % host
    else:
        config['CONFIG_MONGODB_HOST_URL'] = host
    manifestfile = "%s_mongodb.pp" % config['CONFIG_MONGODB_HOST']
    manifestdata = getManifestTemplate("mongodb")
    fw_details = dict()
    key = "mongodb_server"
@@ -349,70 +220,20 @@ def create_mongodb_manifest(config, messages):
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_MONGODB_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_MONGODB_RULES')
    appendManifestFile(manifestfile, manifestdata, 'pre')
 def create_redis_manifest(config, messages):
    if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis':
-        redis_master_host = config['CONFIG_REDIS_MASTER_HOST']
+        redis_host = config['CONFIG_REDIS_HOST']
        if config['CONFIG_IP_VERSION'] == 'ipv6':
-            config['CONFIG_REDIS_MASTER_HOST_URL'] = "[%s]" % redis_master_host
+            config['CONFIG_REDIS_HOST_URL'] = "[%s]" % redis_host
        else:
-            config['CONFIG_REDIS_MASTER_HOST_URL'] = redis_master_host
+            config['CONFIG_REDIS_HOST_URL'] = redis_host
        # master
-        manifestfile = "%s_redis.pp" % config['CONFIG_REDIS_MASTER_HOST']
+        master_clients = set([config['CONFIG_CONTROLLER_HOST']])
        manifestdata = getManifestTemplate("redis.pp")
        master_clients = set([config['CONFIG_CONTROLLER_HOST']]).union(
            split_hosts(config['CONFIG_REDIS_SLAVE_HOSTS'])).union(
            split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']))
        config['FIREWALL_REDIS_RULES'] = _create_redis_firewall_rules(
            master_clients, config['CONFIG_REDIS_PORT'])
        manifestdata += createFirewallResources('FIREWALL_REDIS_RULES')
        appendManifestFile(manifestfile, manifestdata, 'pre')
        # slaves
        if config['CONFIG_REDIS_HA'] == 'y':
            for slave in split_hosts(config['CONFIG_REDIS_SLAVE_HOSTS']):
                config['CONFIG_REDIS_HOST'] = slave
                manifestfile = "%s_redis_slave.pp" % slave
                manifestdata = getManifestTemplate("redis_slave.pp")
                slave_clients = set([config['CONFIG_CONTROLLER_HOST']]).union(
                    split_hosts(config['CONFIG_REDIS_SLAVE_HOSTS'])).union(
                        split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']))
                config['FIREWALL_REDIS_SLAVE_RULES'] = (
                    _create_redis_firewall_rules(
                        slave_clients, config['CONFIG_REDIS_PORT']))
                manifestdata += createFirewallResources(
                    'FIREWALL_REDIS_SLAVE_RULES')
                appendManifestFile(manifestfile, manifestdata, 'pre')
        # sentinels
        if config['CONFIG_REDIS_HA'] == 'y':
            for sentinel in split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']):
                manifestfile = "%s_redis_sentinel.pp" % sentinel
                manifestdata = getManifestTemplate("redis_sentinel.pp")
                config['FIREWALL_SENTINEL_RULES'] = (
                    _create_redis_firewall_rules(
                        split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']),
                        config['CONFIG_REDIS_SENTINEL_PORT']))
                manifestdata += createFirewallResources(
                    'FIREWALL_SENTINEL_RULES')
                appendManifestFile(manifestfile, manifestdata, 'pre')
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_ceilometer")
    appendManifestFile(manifestfile, manifestdata)
 # ------------------------- helper functions -------------------------
--- a/packstack/plugins/cinder_250.py
+++ b/packstack/plugins/cinder_250.py
@@ -27,10 +27,6 @@ from packstack.installer.utils import split_hosts
 from packstack.installer import utils
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------------ Cinder Packstack Plugin initialization ------------------
@@ -601,10 +597,7 @@ def initSequences(controller):
        if key in config:
            config[key] = [i.strip() for i in config[key].split(',') if i]
-    cinder_steps = [
+    cinder_steps = []
        {'title': 'Adding Cinder Keystone manifest entries',
         'functions': [create_keystone_manifest]}
    ]
    if 'lvm' in config['CONFIG_CINDER_BACKEND']:
        cinder_steps.append(
@@ -612,7 +605,7 @@ def initSequences(controller):
             'functions': [check_cinder_vg]})
    cinder_steps.append(
-        {'title': 'Adding Cinder manifest entries',
+        {'title': 'Preparing Cinder entries',
         'functions': [create_manifest]}
    )
    controller.addSequence("Installing OpenStack Cinder", [], [], cinder_steps)
@@ -719,12 +712,6 @@ def check_cinder_vg(config, messages):
    config['CONFIG_CINDER_VOLUMES_SIZE'] = '%sM' % cinders_volume_size
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_cinder")
    appendManifestFile(manifestfile, manifestdata)
 def create_manifest(config, messages):
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_host = config['CONFIG_STORAGE_HOST']
@@ -738,18 +725,6 @@ def create_manifest(config, messages):
        generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                          ssl_cert_file)
    manifestdata = getManifestTemplate(get_mq(config, "cinder"))
    manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata += getManifestTemplate("cinder")
    for backend in config['CONFIG_CINDER_BACKEND']:
        manifestdata += getManifestTemplate('cinder_%s' % backend)
    if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
        manifestdata += getManifestTemplate('cinder_ceilometer')
    if config['CONFIG_SWIFT_INSTALL'] == 'y':
        manifestdata += getManifestTemplate('cinder_backup')
    fw_details = dict()
    for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
        if (config['CONFIG_NOVA_INSTALL'] == 'y' and
@@ -768,7 +743,6 @@ def create_manifest(config, messages):
        fw_details[key]['proto'] = "tcp"
    config['FIREWALL_CINDER_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_CINDER_RULES')
    # cinder API should be open for everyone
    fw_details = dict()
@@ -780,6 +754,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8776']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_CINDER_API_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_CINDER_API_RULES')
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/dashboard_500.py
+++ b/packstack/plugins/dashboard_500.py
@@ -25,8 +25,6 @@ from packstack.installer import utils
 from packstack.installer import validators
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 from packstack.modules.ospluginutils import deliver_ssl_file
@@ -131,7 +129,7 @@ def initSequences(controller):
        return
    steps = [
-        {'title': 'Adding Horizon manifest entries',
+        {'title': 'Preparing Horizon entries',
         'functions': [create_manifest]}
    ]
    controller.addSequence("Installing OpenStack Horizon", [], [], steps)
@@ -141,7 +139,6 @@ def initSequences(controller):
 def create_manifest(config, messages):
    horizon_host = config['CONFIG_CONTROLLER_HOST']
    manifestfile = "%s_horizon.pp" % horizon_host
    proto = "http"
    config["CONFIG_HORIZON_PORT"] = 80
@@ -207,10 +204,6 @@ def create_manifest(config, messages):
        if config["CONFIG_NEUTRON_VPNAAS"] == 'y':
            config["CONFIG_HORIZON_NEUTRON_VPN"] = True
    manifestdata = getManifestTemplate("horizon")
    manifestdata += getManifestTemplate("apache_ports")
    appendManifestFile(manifestfile, manifestdata)
    msg = ("To access the OpenStack Dashboard browse to %s://%s/dashboard .\n"
           "Please, find your login credentials stored in the keystonerc_admin"
           " in your home directory."
--- a/packstack/plugins/glance_200.py
+++ b/packstack/plugins/glance_200.py
@@ -22,10 +22,6 @@ from packstack.installer import processors
 from packstack.installer import utils
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Glance Packstack Plugin Initialization --------------
@@ -94,9 +90,7 @@ def initSequences(controller):
        return
    glancesteps = [
-        {'title': 'Adding Glance Keystone manifest entries',
+        {'title': 'Preparing Glance entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Glance manifest entries',
         'functions': [create_manifest]}
    ]
    controller.addSequence("Installing OpenStack Glance", [], [], glancesteps)
@@ -112,12 +106,6 @@ def process_backend(value, param_name, config):
 # -------------------------- step functions --------------------------
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_glance")
    appendManifestFile(manifestfile, manifestdata)
 def create_manifest(config, messages):
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_host = config['CONFIG_STORAGE_HOST']
@@ -131,12 +119,6 @@ def create_manifest(config, messages):
        generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                          ssl_cert_file)
    manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata = getManifestTemplate("glance")
    if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
        mq_template = get_mq(config, "glance_ceilometer")
        manifestdata += getManifestTemplate(mq_template)
    fw_details = dict()
    key = "glance_api"
    fw_details.setdefault(key, {})
@@ -146,10 +128,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['9292']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_GLANCE_RULES'] = fw_details
    # Set the backend
    manifestdata += getManifestTemplate(
        'glance_%s.pp' % config['CONFIG_GLANCE_BACKEND'])
    manifestdata += createFirewallResources('FIREWALL_GLANCE_RULES')
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/gnocchi_790.py
+++ b/packstack/plugins/gnocchi_790.py
@@ -22,9 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Gnocchi Packstack Plugin Initialization --------------
@@ -86,10 +83,8 @@ def initSequences(controller):
       controller.CONF['CONFIG_CEILOMETER_INSTALL'] != 'y'):
        return
-    steps = [{'title': 'Adding Gnocchi manifest entries',
+    steps = [{'title': 'Preparing Gnocchi entries',
-              'functions': [create_manifest]},
+              'functions': [create_manifest]}]
             {'title': 'Adding Gnocchi Keystone manifest entries',
              'functions': [create_keystone_manifest]}]
    controller.addSequence("Installing OpenStack Gnocchi", [], [],
                           steps)
@@ -97,10 +92,6 @@ def initSequences(controller):
 # -------------------------- step functions --------------------------
 def create_manifest(config, messages):
    manifestfile = "%s_gnocchi.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("gnocchi")
    manifestdata += getManifestTemplate("apache_ports")
    fw_details = dict()
    key = "gnocchi_api"
    fw_details.setdefault(key, {})
@@ -110,11 +101,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8041']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_GNOCCHI_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_GNOCCHI_RULES')
    appendManifestFile(manifestfile, manifestdata, 'gnocchi')
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_gnocchi")
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/heat_650.py
+++ b/packstack/plugins/heat_650.py
@@ -24,10 +24,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Heat Packstack Plugin Initialization --------------
@@ -155,17 +151,17 @@ def initSequences(controller):
    if config['CONFIG_HEAT_INSTALL'] != 'y':
        return
    steps = [
-        {'title': 'Adding Heat manifest entries',
+        {'title': 'Preparing Heat entries',
         'functions': [create_manifest]},
    ]
    if config.get('CONFIG_HEAT_CLOUDWATCH_INSTALL', 'n') == 'y':
        steps.append(
-            {'title': 'Adding Heat CloudWatch API manifest entries',
+            {'title': 'Preparing Heat CloudWatch API entries',
             'functions': [create_cloudwatch_manifest]})
    if config.get('CONFIG_HEAT_CFN_INSTALL', 'n') == 'y':
        steps.append(
-            {'title': 'Adding Heat CloudFormation API manifest entries',
+            {'title': 'Preparing Heat CloudFormation API entries',
             'functions': [create_cfn_manifest]})
    controller.addSequence("Installing Heat", [], [], steps)
@@ -185,11 +181,6 @@ def create_manifest(config, messages):
        generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                          ssl_cert_file)
    manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "heat"))
    manifestdata += getManifestTemplate("heat")
    manifestdata += getManifestTemplate("keystone_heat")
    fw_details = dict()
    key = "heat"
    fw_details.setdefault(key, {})
@@ -200,15 +191,8 @@ def create_manifest(config, messages):
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_HEAT_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_HEAT_RULES')
    appendManifestFile(manifestfile, manifestdata, marker='heat')
 def create_cloudwatch_manifest(config, messages):
    manifestfile = "%s_heatcw.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "heat"))
    manifestdata += getManifestTemplate("heat_cloudwatch")
    fw_details = dict()
    key = "heat_api_cloudwatch"
    fw_details.setdefault(key, {})
@@ -219,15 +203,8 @@ def create_cloudwatch_manifest(config, messages):
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_HEAT_CLOUDWATCH_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_HEAT_CLOUDWATCH_RULES')
    appendManifestFile(manifestfile, manifestdata, marker='heat')
 def create_cfn_manifest(config, messages):
    manifestfile = "%s_heatcnf.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "heat"))
    manifestdata += getManifestTemplate("heat_cfn")
    fw_details = dict()
    key = "heat_cfn"
    fw_details.setdefault(key, {})
@@ -237,6 +214,3 @@ def create_cfn_manifest(config, messages):
    fw_details[key]['ports'] = ['8000']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_HEAT_CFN_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_HEAT_CFN_RULES')
    appendManifestFile(manifestfile, manifestdata, marker='heat')
--- a/packstack/plugins/ironic_275.py
+++ b/packstack/plugins/ironic_275.py
@@ -22,10 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------------ Ironic Packstack Plugin initialization ------------------
@@ -78,9 +74,7 @@ def initSequences(controller):
        return
    steps = [
-        {'title': 'Adding Ironic Keystone manifest entries',
+        {'title': 'Preparing Ironic entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Ironic manifest entries',
         'functions': [create_manifest]},
    ]
@@ -103,10 +97,6 @@ def create_manifest(config, messages):
        generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                          ssl_cert_file)
    manifestfile = "%s_ironic.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "ironic"))
    manifestdata += getManifestTemplate("ironic.pp")
    fw_details = dict()
    key = "ironic-api"
    fw_details.setdefault(key, {})
@@ -116,15 +106,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['6385']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_IRONIC_API_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_IRONIC_API_RULES')
    appendManifestFile(manifestfile, manifestdata, 'pre')
 def create_keystone_manifest(config, messages):
    if config['CONFIG_UNSUPPORTED'] != 'y':
        config['CONFIG_IRONIC_HOST'] = config['CONFIG_CONTROLLER_HOST']
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_ironic.pp")
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -24,9 +24,6 @@ from packstack.installer import processors
 from packstack.installer import utils
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Keystone Packstack Plugin Initialization --------------
@@ -718,7 +715,7 @@ def initSequences(controller):
        {'title':
         'Fixing Keystone LDAP config parameters to be undef if empty',
         'functions': [munge_ldap_config_params]},
-        {'title': 'Adding Keystone manifest entries',
+        {'title': 'Preparing Keystone entries',
         'functions': [create_manifest]},
    ]
    controller.addSequence("Installing OpenStack Keystone", [], [],
@@ -766,10 +763,6 @@ def munge_ldap_config_params(config, messages):
 def create_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone")
    manifestdata += getManifestTemplate("apache_ports")
    if config['CONFIG_IP_VERSION'] == 'ipv6':
        host = config['CONFIG_CONTROLLER_HOST']
        config['CONFIG_KEYSTONE_HOST_URL'] = "[%s]" % host
@@ -796,6 +789,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['5000', '35357']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_KEYSTONE_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_KEYSTONE_RULES')
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/plugins/manila_355.py
+++ b/packstack/plugins/manila_355.py
@@ -22,10 +22,6 @@ from packstack.installer import validators
 from packstack.installer import utils
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Manila Packstack Plugin Initialization --------------
@@ -554,9 +550,7 @@ def initSequences(controller):
    )
    manila_steps = [
-        {'title': 'Adding Manila Keystone manifest entries',
+        {'title': 'Preparing Manila entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Manila manifest entries',
         'functions': [create_manifest]}
    ]
@@ -604,15 +598,6 @@ def check_glusternfs_options(config):
 # -------------------------- step functions --------------------------
 def create_keystone_manifest(config, messages):
    if config['CONFIG_UNSUPPORTED'] != 'y':
        config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_manila.pp")
    appendManifestFile(manifestfile, manifestdata)
 def create_manifest(config, messages):
    if config['CONFIG_UNSUPPORTED'] != 'y':
        config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
@@ -639,15 +624,6 @@ def create_manifest(config, messages):
        elif config[key].lower() == "false":
            config[key] = False
    manifestdata = getManifestTemplate(get_mq(config, "manila"))
    manifestfile = "%s_manila.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata += getManifestTemplate("manila.pp")
    manifestdata += getManifestTemplate("manila_network.pp")
    backends = config['CONFIG_MANILA_BACKEND']
    for backend in backends:
        manifestdata += getManifestTemplate('manila_%s.pp' % backend)
    # manila API should be open for everyone
    fw_details = dict()
    key = "manila_api"
@@ -658,6 +634,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8786']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_MANILA_API_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_MANILA_API_RULES')
    appendManifestFile(manifestfile, manifestdata, marker='manila')
--- a/packstack/plugins/mariadb_003.py
+++ b/packstack/plugins/mariadb_003.py
@@ -23,9 +23,6 @@ from packstack.installer import utils
 from packstack.modules.common import filtered_hosts
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- MariaDB Packstack Plugin Initialization --------------
@@ -89,7 +86,7 @@ def initConfig(controller):
 def initSequences(controller):
    mariadbsteps = [
-        {'title': 'Adding MariaDB manifest entries',
+        {'title': 'Preparing MariaDB entries',
         'functions': [create_manifest]}
    ]
    controller.addSequence("Installing MariaDB", [], [], mariadbsteps)
@@ -99,10 +96,8 @@ def initSequences(controller):
 def create_manifest(config, messages):
    if config['CONFIG_MARIADB_INSTALL'] == 'y':
        suffix = 'install'
        host = config['CONFIG_MARIADB_HOST']
    else:
        suffix = 'noinstall'
        host = config['CONFIG_CONTROLLER_HOST']
    if config['CONFIG_IP_VERSION'] == 'ipv6':
@@ -110,30 +105,8 @@ def create_manifest(config, messages):
    else:
        config['CONFIG_MARIADB_HOST_URL'] = host
    manifestfile = "%s_mariadb.pp" % host
    manifestdata = [getManifestTemplate('mariadb_%s' % suffix)]
    def append_for(module, suffix):
        # Modules have to be appended to the existing mysql.pp
        # otherwise pp will fail for some of them saying that
        # Mysql::Config definition is missing.
        template = "mariadb_%s_%s" % (module, suffix)
        manifestdata.append(getManifestTemplate(template))
    append_for("keystone", suffix)
    for mod in ['nova', 'cinder', 'glance', 'neutron', 'heat', 'sahara',
                'trove', 'ironic', 'manila']:
        if config['CONFIG_%s_INSTALL' % mod.upper()] == 'y':
            append_for(mod, suffix)
    if (config['CONFIG_GNOCCHI_INSTALL'] == 'y' and
       config['CONFIG_CEILOMETER_INSTALL'] == 'y'):
        append_for('gnocchi', suffix)
    hosts = filtered_hosts(config, exclude=False, dbhost=True)
    fw_details = dict()
-    for host in hosts:
+    for host in filtered_hosts(config, exclude=False, dbhost=True):
        key = "mariadb_%s" % host
        fw_details.setdefault(key, {})
        fw_details[key]['host'] = "%s" % host
@@ -142,6 +115,3 @@ def create_manifest(config, messages):
        fw_details[key]['ports'] = ['3306']
        fw_details[key]['proto'] = "tcp"
    config['FIREWALL_MARIADB_RULES'] = fw_details
    manifestdata.append(createFirewallResources('FIREWALL_MARIADB_RULES'))
    appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
--- a/packstack/plugins/nagios_910.py
+++ b/packstack/plugins/nagios_910.py
@@ -23,9 +23,6 @@ from packstack.installer import utils
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.common import filtered_hosts
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Nagios Packstack Plugin Initialization --------------
@@ -63,9 +60,9 @@ def initSequences(controller):
        return
    nagiossteps = [
-        {'title': 'Adding Nagios server manifest entries',
+        {'title': 'Preparing Nagios server entries',
         'functions': [create_manifest]},
-        {'title': 'Adding Nagios host manifest entries',
+        {'title': 'Preparing Nagios host entries',
         'functions': [create_nrpe_manifests]}
    ]
    controller.addSequence("Installing Nagios", [], [], nagiossteps)
@@ -92,17 +89,10 @@ def create_manifest(config, messages):
    config['CONFIG_NAGIOS_SERVICES'] = openstack_services
    manifestfile = "%s_nagios.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("nagios_server")
    manifestdata += getManifestTemplate("apache_ports")
    appendManifestFile(manifestfile, manifestdata)
 def create_nrpe_manifests(config, messages):
    for hostname in filtered_hosts(config):
        config['CONFIG_NRPE_HOST'] = hostname
        manifestfile = "%s_nagios_nrpe.pp" % hostname
        manifestdata = getManifestTemplate("nagios_nrpe")
        # Only the Nagios host is allowed to talk to nrpe
        fw_details = dict()
@@ -115,9 +105,6 @@ def create_nrpe_manifests(config, messages):
        fw_details[key]['proto'] = "tcp"
        config['FIREWALL_NAGIOS_NRPE_RULES'] = fw_details
        manifestdata += createFirewallResources('FIREWALL_NAGIOS_NRPE_RULES')
        appendManifestFile(manifestfile, manifestdata)
    messages.append("To use Nagios, browse to "
                    "http://%(CONFIG_CONTROLLER_HOST)s/nagios "
                    "username: nagiosadmin, password: %(CONFIG_NAGIOS_PW)s"
--- a/packstack/plugins/neutron_350.py
+++ b/packstack/plugins/neutron_350.py
@@ -25,10 +25,6 @@ from packstack.installer.utils import split_hosts
 from packstack.modules import common
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------- Neutron Packstack Plugin Initialization --------------
@@ -504,28 +500,18 @@ def initSequences(controller):
        config['CONFIG_NEUTRON_ML2_SRIOV_AGENT_REQUIRED'] = False
    neutron_steps = [
-        {'title': 'Adding Neutron VPNaaS Agent manifest entries',
+        {'title': 'Preparing Neutron LBaaS Agent entries',
         'functions': [create_vpnaas_manifests]},
        {'title': 'Adding Neutron FWaaS Agent manifest entries',
         'functions': [create_fwaas_manifests]},
        {'title': 'Adding Neutron LBaaS Agent manifest entries',
         'functions': [create_lbaas_manifests]},
-        {'title': 'Adding Neutron API manifest entries',
+        {'title': 'Preparing Neutron API entries',
         'functions': [create_manifests]},
-        {'title': 'Adding Neutron Keystone manifest entries',
+        {'title': 'Preparing Neutron L3 entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Neutron L3 manifest entries',
         'functions': [create_l3_manifests]},
-        {'title': 'Adding Neutron L2 Agent manifest entries',
+        {'title': 'Preparing Neutron L2 Agent entries',
         'functions': [create_l2_agent_manifests]},
-        {'title': 'Adding Neutron DHCP Agent manifest entries',
+        {'title': 'Preparing Neutron DHCP Agent entries',
         'functions': [create_dhcp_manifests]},
-        {'title': 'Adding Neutron Metering Agent manifest entries',
+        {'title': 'Preparing Neutron Metering Agent entries',
         'functions': [create_metering_agent_manifests]},
        {'title': 'Adding Neutron Metadata Agent manifest entries',
         'functions': [create_metadata_manifests]},
        {'title': 'Adding Neutron SR-IOV Switch Agent manifest entries',
         'functions': [create_sriovnicswitch_manifests]},
        {'title': 'Checking if NetworkManager is enabled and running',
         'functions': [check_nm_status]},
    ]
@@ -590,9 +576,8 @@ def get_values(val):
    return [x.strip() for x in val.split(',')] if val else []
-def tunnel_fw_details(config, host, src):
+def tunnel_fw_details(config, host, src, fw_details):
    key = "neutron_tunnel_%s_%s" % (host, src)
    fw_details = dict()
    fw_details.setdefault(key, {})
    fw_details[key]['host'] = "%s" % src
    fw_details[key]['service_name'] = "neutron tunnel port"
@@ -604,7 +589,6 @@ def tunnel_fw_details(config, host, src):
        fw_details[key]['proto'] = 'gre'
        tun_port = None
    fw_details[key]['ports'] = tun_port
    return fw_details
 # -------------------------- step functions --------------------------
@@ -661,22 +645,7 @@ def create_manifests(config, messages):
            generate_ssl_cert(config, host, service, ssl_key_file,
                              ssl_cert_file)
        manifest_file = "%s_neutron.pp" % (host,)
        manifest_data = getManifestTemplate("neutron")
        manifest_data += getManifestTemplate(get_mq(config, "neutron"))
        appendManifestFile(manifest_file, manifest_data, 'neutron')
        if host in api_hosts:
            manifest_file = "%s_neutron.pp" % (host,)
            manifest_data = getManifestTemplate("neutron_api")
            if config['CONFIG_NOVA_INSTALL'] == 'y':
                template_name = "neutron_notifications"
                manifest_data += getManifestTemplate(template_name)
            # Set up any l2 plugin configs we need only on neutron api nodes
            # XXX I am not completely sure about this, but it seems necessary:
            manifest_data += getManifestTemplate(plugin_manifest)
            # Firewall
            fw_details = dict()
            key = "neutron_server_%s" % host
@@ -688,33 +657,24 @@ def create_manifests(config, messages):
            fw_details[key]['proto'] = "tcp"
            config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details
            manifest_data += createFirewallResources(
                'FIREWALL_NEUTRON_SERVER_RULES'
            )
            appendManifestFile(manifest_file, manifest_data, 'neutron')
        # We also need to open VXLAN/GRE port for agent
        manifest_data = ""
        if use_openvswitch_vxlan(config) or use_openvswitch_gre(config):
            if config['CONFIG_IP_VERSION'] == 'ipv6':
                msg = output_messages.WARN_IPV6_OVS
                messages.append(utils.color_text(msg % host, 'red'))
-
+            fw_details = dict()
            if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']):
                tunnel_subnets = map(
                    str.strip,
                    config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',')
                )
                cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host)
                for subnet in tunnel_subnets:
-                    cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s"
+                    tunnel_fw_details(config, host, subnet, fw_details)
-                                    % (host, subnet))
+                config[cf_fw_nt_key] = fw_details
                    config[cf_fw_nt_key] = tunnel_fw_details(config,
                                                             host, subnet)
                    manifest_data += createFirewallResources(cf_fw_nt_key)
            else:
                cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host)
                for n_host in network_hosts | compute_hosts:
                    cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s"
                                    % (host, n_host))
                    if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']:
                        if config['CONFIG_USE_SUBNETS'] == 'y':
                            iface = common.cidr_to_ifname(
@@ -731,17 +691,8 @@ def create_manifests(config, messages):
                                           (iface, n_host))
                    else:
                        src_host = n_host
-                    config[cf_fw_nt_key] = tunnel_fw_details(config,
+                    tunnel_fw_details(config, host, src_host, fw_details)
-                                                             host, src_host)
+                config[cf_fw_nt_key] = fw_details
                    manifest_data += createFirewallResources(cf_fw_nt_key)
            appendManifestFile(manifest_file, manifest_data, 'neutron')
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_neutron")
    appendManifestFile(manifestfile, manifestdata)
 def create_l3_manifests(config, messages):
@@ -753,9 +704,6 @@ def create_l3_manifests(config, messages):
    for host in network_hosts:
        config['CONFIG_NEUTRON_L3_HOST'] = host
        config['CONFIG_NEUTRON_L3_INTERFACE_DRIVER'] = get_if_driver(config)
        manifestdata = getManifestTemplate("neutron_l3")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + '\n')
        if config['CONFIG_NEUTRON_L2_AGENT'] == 'openvswitch':
            ext_bridge = config['CONFIG_NEUTRON_L3_EXT_BRIDGE']
@@ -764,8 +712,9 @@ def create_l3_manifests(config, messages):
                ext_bridge) if ext_bridge else None
            if (ext_bridge and not mapping):
                config['CONFIG_NEUTRON_OVS_BRIDGE'] = ext_bridge
-                manifestdata = getManifestTemplate('neutron_ovs_bridge')
+                config['CONFIG_NEUTRON_OVS_BRIDGE_CREATE'] = 'y'
-                appendManifestFile(manifestfile, manifestdata + '\n')
+            else:
                config['CONFIG_NEUTRON_OVS_BRIDGE_CREATE'] = 'n'
 def create_dhcp_manifests(config, messages):
@@ -774,11 +723,7 @@ def create_dhcp_manifests(config, messages):
    for host in network_hosts:
        config["CONFIG_NEUTRON_DHCP_HOST"] = host
        config['CONFIG_NEUTRON_DHCP_INTERFACE_DRIVER'] = get_if_driver(config)
-        if use_openvswitch_vxlan(config) or use_openvswitch_gre(config):
+
            manifest_data = getManifestTemplate("neutron_dhcp_mtu")
        else:
            manifest_data = getManifestTemplate("neutron_dhcp")
        manifest_file = "%s_neutron.pp" % (host,)
        # Firewall Rules for dhcp in
        fw_details = dict()
        key = "neutron_dhcp_in_%s" % host
@@ -789,9 +734,6 @@ def create_dhcp_manifests(config, messages):
        fw_details[key]['ports'] = ['67']
        fw_details[key]['proto'] = "udp"
        config['FIREWALL_NEUTRON_DHCPIN_RULES'] = fw_details
        manifest_data += createFirewallResources(
            'FIREWALL_NEUTRON_DHCPIN_RULES'
        )
        # Firewall Rules for dhcp out
        fw_details = dict()
@@ -803,35 +745,6 @@ def create_dhcp_manifests(config, messages):
        fw_details[key]['ports'] = ['68']
        fw_details[key]['proto'] = "udp"
        config['FIREWALL_NEUTRON_DHCPOUT_RULES'] = fw_details
        manifest_data += createFirewallResources(
            'FIREWALL_NEUTRON_DHCPOUT_RULES'
        )
        appendManifestFile(manifest_file, manifest_data, 'neutron')
 def create_fwaas_manifests(config, messages):
    global network_hosts
    if not config['CONFIG_NEUTRON_FWAAS'] == 'y':
        return
    for host in network_hosts:
        manifestdata = getManifestTemplate("neutron_fwaas")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def create_vpnaas_manifests(config, messages):
    global network_hosts
    if config['CONFIG_NEUTRON_VPNAAS'] != 'y':
        return
    for host in network_hosts:
        manifestdata = getManifestTemplate("neutron_vpnaas")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def create_lbaas_manifests(config, messages):
@@ -842,9 +755,6 @@ def create_lbaas_manifests(config, messages):
    for host in network_hosts:
        config['CONFIG_NEUTRON_LBAAS_INTERFACE_DRIVER'] = get_if_driver(config)
        manifestdata = getManifestTemplate("neutron_lbaas")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def create_metering_agent_manifests(config, messages):
@@ -855,9 +765,6 @@ def create_metering_agent_manifests(config, messages):
    for host in network_hosts:
        config['CONFIG_NEUTRON_METERING_IFCE_DRIVER'] = get_if_driver(config)
        manifestdata = getManifestTemplate("neutron_metering_agent")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def create_l2_agent_manifests(config, messages):
@@ -881,7 +788,6 @@ def create_l2_agent_manifests(config, messages):
        config["CONFIG_NEUTRON_OVS_TUNNELING"] = tunnel
        tunnel_types = set(ovs_type) & set(['gre', 'vxlan'])
        config["CONFIG_NEUTRON_OVS_TUNNEL_TYPES"] = list(tunnel_types)
        template_name = "neutron_ovs_agent"
        bm_arr = get_values(config["CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS"])
        iface_arr = get_values(config["CONFIG_NEUTRON_OVS_BRIDGE_IFACES"])
@@ -910,7 +816,6 @@ def create_l2_agent_manifests(config, messages):
    elif agent == "linuxbridge":
        host_var = 'CONFIG_NEUTRON_LB_HOST'
        template_name = 'neutron_lb_agent'
    else:
        raise KeyError("Unknown layer2 agent")
@@ -918,8 +823,6 @@ def create_l2_agent_manifests(config, messages):
    no_tunnel_types = set(ovs_type) & set(['vlan', 'flat'])
    for host in network_hosts | compute_hosts:
        manifestfile = "%s_neutron.pp" % (host,)
        manifestdata = "$cfg_neutron_ovs_host = '%s'\n" % host
        # NICs connected to OVS bridges can be required in network nodes if
        # vlan, flat, vxlan or gre are enabled. For compute nodes, they are
        # only required if vlan or flat are enabled.
@@ -937,40 +840,9 @@ def create_l2_agent_manifests(config, messages):
                ]
            config["CONFIG_NEUTRON_OVS_BRIDGE_IFACES"] = iface_arr
            config["CONFIG_NEUTRON_OVS_BRIDGE_IFACES_COMPUTE"] = if_arr_cmp
-            manifestdata += "$create_bridges = true\n"
+            config['CREATE_BRIDGES'] = 'y'
        else:
-            manifestdata += "$create_bridges = false\n"
+            config['CREATE_BRIDGES'] = 'n'
        is_network_host = str(host in network_hosts).lower()
        manifestdata += "$network_host = %s\n" % is_network_host
        manifestdata += getManifestTemplate(template_name)
        appendManifestFile(manifestfile, manifestdata + "\n")
        # Additional configurations required for compute hosts and
        # network hosts.
        manifestdata = getManifestTemplate('neutron_bridge_module')
        appendManifestFile(manifestfile, manifestdata + '\n')
 def create_sriovnicswitch_manifests(config, messages):
    global compute_hosts
    if not use_ml2_with_sriovnicswitch(config):
        return
    for host in compute_hosts:
        manifestdata = getManifestTemplate("neutron_sriov")
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def create_metadata_manifests(config, messages):
    global network_hosts
    if config.get('CONFIG_NOVA_INSTALL') == 'n':
        return
    for host in network_hosts:
        config['CONFIG_NEUTRON_METADATA_HOST'] = host
        manifestdata = getManifestTemplate('neutron_metadata')
        manifestfile = "%s_neutron.pp" % (host,)
        appendManifestFile(manifestfile, manifestdata + "\n")
 def check_nm_status(config, messages):
--- a/packstack/plugins/nova_300.py
+++ b/packstack/plugins/nova_300.py
@@ -27,15 +27,10 @@ from packstack.installer import utils
 from packstack.installer import validators
 from packstack.modules import common
 from packstack.modules.common import filtered_hosts
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import prependManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import deliver_ssl_file
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 from packstack.modules.ospluginutils import manifestfiles
 # ------------- Nova Packstack Plugin Initialization --------------
@@ -392,35 +387,29 @@ def initSequences(controller):
        return
    if controller.CONF['CONFIG_NEUTRON_INSTALL'] == 'y':
-        network_title = ('Adding OpenStack Network-related '
+        network_title = ('Preparing OpenStack Network-related '
-                         'Nova manifest entries')
+                         'Nova entries')
        network_function = create_neutron_manifest
    else:
-        network_title = 'Adding Nova Network manifest entries'
+        network_title = 'Preparing Nova Network entries'
        network_function = create_network_manifest
    novaapisteps = [
-        {'title': 'Adding Nova API manifest entries',
+        {'title': 'Preparing Nova API entries',
         'functions': [create_api_manifest]},
        {'title': 'Adding Nova Keystone manifest entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Nova Cert manifest entries',
         'functions': [create_cert_manifest]},
        {'title': 'Adding Nova Conductor manifest entries',
         'functions': [create_conductor_manifest]},
        {'title': 'Creating ssh keys for Nova migration',
         'functions': [create_ssh_keys]},
        {'title': 'Gathering ssh host keys for Nova migration',
         'functions': [gather_host_keys]},
-        {'title': 'Adding Nova Compute manifest entries',
+        {'title': 'Preparing Nova Compute entries',
         'functions': [create_compute_manifest]},
-        {'title': 'Adding Nova Scheduler manifest entries',
+        {'title': 'Preparing Nova Scheduler entries',
         'functions': [create_sched_manifest]},
-        {'title': 'Adding Nova VNC Proxy manifest entries',
+        {'title': 'Preparing Nova VNC Proxy entries',
         'functions': [create_vncproxy_manifest]},
        {'title': network_title,
         'functions': [network_function]},
-        {'title': 'Adding Nova Common manifest entries',
+        {'title': 'Preparing Nova Common entries',
         'functions': [create_common_manifest]},
    ]
@@ -540,8 +529,6 @@ def create_api_manifest(config, messages):
        config['CONFIG_NEUTRON_METADATA_PW_UNQUOTED'] = None
    else:
        config['CONFIG_NEUTRON_METADATA_PW_UNQUOTED'] = "%s" % config['CONFIG_NEUTRON_METADATA_PW']
    manifestfile = "%s_api_nova.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("nova_api")
    fw_details = dict()
    key = "nova_api"
@@ -552,27 +539,6 @@ def create_api_manifest(config, messages):
    fw_details[key]['ports'] = ['8773', '8774', '8775']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_NOVA_API_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_NOVA_API_RULES')
    appendManifestFile(manifestfile, manifestdata, 'novaapi')
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_nova")
    appendManifestFile(manifestfile, manifestdata)
 def create_cert_manifest(config, messages):
    manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("nova_cert")
    appendManifestFile(manifestfile, manifestdata)
 def create_conductor_manifest(config, messages):
    manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("nova_conductor")
    appendManifestFile(manifestfile, manifestdata)
 def create_compute_manifest(config, messages):
@@ -594,8 +560,6 @@ def create_compute_manifest(config, messages):
            'qemu+tcp://nova@%s/system'
        )
    ssh_hostkeys = ''
    ssh_keys_details = {}
    for host in compute_hosts:
        try:
@@ -617,7 +581,6 @@ def create_compute_manifest(config, messages):
            ssh_keys_details[key]['type'] = host_key_type
    config['SSH_KEYS'] = ssh_keys_details
    ssh_hostkeys += getManifestTemplate("sshkey")
    if config['CONFIG_VMWARE_BACKEND'] == 'y':
        vcenters = [i.strip() for i in
@@ -637,14 +600,13 @@ def create_compute_manifest(config, messages):
            else:
                vcenters = len(compute_hosts) * [vcenters[0]]
        vmware_clusters = dict(zip(compute_hosts, vcenters))
        config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters
    for host in compute_hosts:
        if config['CONFIG_IRONIC_INSTALL'] == 'y':
            cm = 'ironic.nova.compute.manager.ClusteredComputeManager'
            config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm
        manifestdata = getManifestTemplate("nova_compute")
        fw_details = dict()
        cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
        for c_host in compute_hosts:
@@ -657,31 +619,8 @@ def create_compute_manifest(config, messages):
            fw_details[key]['proto'] = "tcp"
        config[cf_fw_qemu_mig_key] = fw_details
        manifestdata += createFirewallResources(cf_fw_qemu_mig_key)
        if config['CONFIG_VMWARE_BACKEND'] == 'y':
            manifestdata += ("\n$nova_vcenter_cluster_name = '%s'\n" %
                             vmware_clusters[host])
            manifestdata += getManifestTemplate("nova_compute_vmware.pp")
        elif config['CONFIG_IRONIC_INSTALL'] == 'y':
            manifestdata += getManifestTemplate("nova_compute_ironic.pp")
        else:
            manifestdata += getManifestTemplate("nova_compute_libvirt.pp")
        if (config['CONFIG_VMWARE_BACKEND'] != 'y' and
                config['CONFIG_CINDER_INSTALL'] == 'y' and
                'gluster' in config['CONFIG_CINDER_BACKEND']):
            manifestdata += getManifestTemplate("nova_gluster")
        if (config['CONFIG_VMWARE_BACKEND'] != 'y' and
                config['CONFIG_CINDER_INSTALL'] == 'y' and
                'nfs' in config['CONFIG_CINDER_BACKEND']):
            manifestdata += getManifestTemplate("nova_nfs")
        manifestfile = "%s_nova.pp" % host
        if config['CONFIG_NEUTRON_INSTALL'] != 'y':
            if host not in network_hosts:
                manifestdata += getManifestTemplate('nova_compute_flat')
            key = 'CONFIG_NOVA_COMPUTE_PRIVIF'
            if not config[key].strip():
                config[key] = dummy_interface(host)
@@ -711,10 +650,6 @@ def create_compute_manifest(config, messages):
                generate_ssl_cert(config, host, service, ssl_key_file,
                                  ssl_cert_file)
            mq_template = get_mq(config, "nova_ceilometer")
            manifestdata += getManifestTemplate(mq_template)
            manifestdata += getManifestTemplate("nova_ceilometer")
        fw_details = dict()
        key = "nova_compute"
        fw_details.setdefault(key, {})
@@ -725,12 +660,6 @@ def create_compute_manifest(config, messages):
        fw_details[key]['proto'] = "tcp"
        config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
        manifestdata += "\n" + createFirewallResources(
            'FIREWALL_NOVA_COMPUTE_RULES'
            )
        manifestdata += "\n" + ssh_hostkeys
        appendManifestFile(manifestfile, manifestdata)
 def create_network_manifest(config, messages):
    global compute_hosts, network_hosts
@@ -768,28 +697,11 @@ def create_network_manifest(config, messages):
        net_size = 2 ** (32 - int(routing_prefix))
        config['CONFIG_NOVA_NETWORK_FIXEDSIZE'] = str(net_size)
        manifestfile = "%s_nova.pp" % host
        manifestdata = getManifestTemplate("nova_network")
        # Restart libvirt if we deploy nova network on compute
        if host in compute_hosts:
            manifestdata += getManifestTemplate("nova_network_libvirt")
        # in multihost mode each compute host runs nova-api-metadata
        if multihost and host != api_host and host in compute_hosts:
            manifestdata += getManifestTemplate("nova_metadata")
        appendManifestFile(manifestfile, manifestdata)
 def create_sched_manifest(config, messages):
    manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
    if config['CONFIG_IRONIC_INSTALL'] == 'y':
        manifestdata = getManifestTemplate("nova_sched_ironic.pp")
        ram_alloc = '1.0'
        config['CONFIG_NOVA_SCHED_RAM_ALLOC_RATIO'] = ram_alloc
        manifestdata += getManifestTemplate("nova_sched.pp")
    else:
        manifestdata = getManifestTemplate("nova_sched.pp")
    appendManifestFile(manifestfile, manifestdata)
 def create_vncproxy_manifest(config, messages):
@@ -820,10 +732,6 @@ def create_vncproxy_manifest(config, messages):
            generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                              ssl_cert_file)
    manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("nova_vncproxy")
    appendManifestFile(manifestfile, manifestdata)
 def create_common_manifest(config, messages):
    global compute_hosts, network_hosts
@@ -834,45 +742,34 @@ def create_common_manifest(config, messages):
    dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')])
    dbacces_hosts |= network_hosts
-    for manifestfile, marker in manifestfiles.getFiles():
+    for host in filtered_hosts(config):
        pw_in_sqlconn = False
-        if manifestfile.endswith("_nova.pp"):
+        host = host.strip()
            host, manifest = manifestfile.split('_', 1)
            host = host.strip()
-            if host in compute_hosts and host not in dbacces_hosts:
+        if host in compute_hosts and host not in dbacces_hosts:
-                # we should omit password in case we are installing only
+            # we should omit password in case we are installing only
-                # nova-compute to the host
+            # nova-compute to the host
-                perms = "nova"
+            perms = "nova"
-                pw_in_sqlconn = False
+            pw_in_sqlconn = False
-            else:
+        else:
-                perms = "nova:%s" % config['CONFIG_NOVA_DB_PW']
+            perms = "nova:%s" % config['CONFIG_NOVA_DB_PW']
-                pw_in_sqlconn = True
+            pw_in_sqlconn = True
-            mariadb_host_url = config['CONFIG_MARIADB_HOST_URL']
+        mariadb_host_url = config['CONFIG_MARIADB_HOST_URL']
-            sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url)
+        sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url)
-            if pw_in_sqlconn:
+        if pw_in_sqlconn:
-                config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn
+            config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn
-            else:
+        else:
-                config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn
+            config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn
-            # for nova-network in multihost mode each compute host is metadata
+        # for nova-network in multihost mode each compute host is metadata
-            # host otherwise we use api host
+        # host otherwise we use api host
-            if (network_type == 'nova' and network_multi and
+        if (network_type == 'nova' and network_multi and
-                    host in compute_hosts):
+                host in compute_hosts):
-                metadata = host
+            metadata = host
-            else:
+        else:
-                metadata = config['CONFIG_CONTROLLER_HOST']
+            metadata = config['CONFIG_CONTROLLER_HOST']
-            config['CONFIG_NOVA_METADATA_HOST'] = metadata
+        config['CONFIG_NOVA_METADATA_HOST'] = metadata
            data = getManifestTemplate(get_mq(config, "nova_common"))
            if pw_in_sqlconn:
                data += getManifestTemplate("nova_common_pw")
            else:
                data += getManifestTemplate("nova_common_nopw")
            # We need to have class nova before class nova::api, so prepend
            # instead of append
            prependManifestFile(os.path.split(manifestfile)[1], data)
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        nova_hosts = compute_hosts
@@ -899,8 +796,3 @@ def create_neutron_manifest(config, messages):
    else:
        virt_driver = 'nova.virt.libvirt.vif.LibvirtGenericVIFDriver'
        config['CONFIG_NOVA_LIBVIRT_VIF_DRIVER'] = virt_driver
    for manifestfile, marker in manifestfiles.getFiles():
        if manifestfile.endswith("_nova.pp"):
            data = getManifestTemplate("nova_neutron")
            appendManifestFile(os.path.split(manifestfile)[1], data)
--- a/packstack/plugins/openstack_client_400.py
+++ b/packstack/plugins/openstack_client_400.py
@@ -20,9 +20,6 @@ import os
 from packstack.installer import utils
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- OpenStack Client Packstack Plugin Initialization --------------
 PLUGIN_NAME = "OS-Client"
@@ -44,7 +41,7 @@ def initSequences(controller):
        return
    osclientsteps = [
-        {'title': 'Adding OpenStack Client manifest entries',
+        {'title': 'Preparing OpenStack Client entries',
         'functions': [create_manifest]}
    ]
    controller.addSequence("Installing OpenStack Client", [], [],
@@ -55,7 +52,6 @@ def initSequences(controller):
 def create_manifest(config, messages):
    client_host = config['CONFIG_CONTROLLER_HOST'].strip()
    manifestfile = "%s_osclient.pp" % client_host
    server = utils.ScriptRunner(client_host)
    server.append('echo $HOME')
@@ -72,9 +68,6 @@ def create_manifest(config, messages):
                        root_home != homedir)
    config['NO_ROOT_USER_ALLINONE'] = no_root_allinone and True or False
    manifestdata = getManifestTemplate("openstack_client")
    appendManifestFile(manifestfile, manifestdata)
    msg = ("File %s/keystonerc_admin has been created on OpenStack client host"
           " %s. To use the command line tools you need to source the file.")
    messages.append(msg % (root_home, client_host))
--- a/packstack/plugins/prescript_000.py
+++ b/packstack/plugins/prescript_000.py
@@ -33,8 +33,6 @@ from packstack.installer import validators
 from packstack.modules.common import filtered_hosts
 from packstack.modules.common import is_all_in_one
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Prescript Packstack Plugin Initialization --------------
@@ -946,7 +944,7 @@ def initSequences(controller):
         'functions': [server_prep]},
        {'title': 'Pre installing Puppet and discovering hosts\' details',
         'functions': [preinstall_and_discover]},
-        {'title': 'Adding pre install manifest entries',
+        {'title': 'Preparing pre-install entries',
         'functions': [create_manifest]},
    ]
@@ -1458,11 +1456,6 @@ def create_manifest(config, messages):
    else:
        config['CONFIG_STORAGE_HOST_URL'] = config['CONFIG_STORAGE_HOST']
    for hostname in filtered_hosts(config):
        manifestfile = "%s_prescript.pp" % hostname
        manifestdata = getManifestTemplate("prescript")
        appendManifestFile(manifestfile, manifestdata)
 def create_ntp_manifest(config, messages):
    srvlist = [i.strip()
@@ -1472,23 +1465,3 @@ def create_ntp_manifest(config, messages):
    definiton = '\n'.join(['server %s' % i for i in srvlist])
    config['CONFIG_NTP_SERVER_DEF'] = '%s\n' % definiton
    marker = uuid.uuid4().hex[:16]
    for hostname in filtered_hosts(config):
        hostnfo = config['HOST_DETAILS'][hostname]
        releaseos = hostnfo['operatingsystem']
        releasever = hostnfo['operatingsystemmajrelease']
        # Configure chrony for Fedora or RHEL/CentOS 7
        if releaseos == 'Fedora' or releasever == '7':
            manifestdata = getManifestTemplate('chrony')
            appendManifestFile('%s_chrony.pp' % hostname,
                               manifestdata,
                               marker=marker)
        # For previous versions, configure ntpd
        else:
            manifestdata = getManifestTemplate('ntpd')
            appendManifestFile('%s_ntpd.pp' % hostname,
                               manifestdata,
                               marker=marker)
--- a/packstack/plugins/provision_700.py
+++ b/packstack/plugins/provision_700.py
@@ -22,8 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import getManifestTemplate
 # ------------- Provision Packstack Plugin Initialization --------------
@@ -381,58 +379,3 @@ def initConfig(controller):
 def initSequences(controller):
    config = controller.CONF
    if (config['CONFIG_PROVISION_DEMO'] != "y" and
            config['CONFIG_PROVISION_TEMPEST'] != "y"):
        return
    provision_steps = [
        {'title': 'Adding Provisioning manifest entries',
         'functions': [create_provision_manifest]},
        {'title': 'Adding Provisioning Glance manifest entries',
         'functions': [create_storage_manifest]},
    ]
    if (config['CONFIG_PROVISION_TEMPEST'] == "y" or
            config['CONFIG_PROVISION_DEMO'] == "y"):
        provision_steps.append(
            {'title': 'Adding Provisioning Demo bridge manifest entries',
             'functions': [create_bridge_manifest]}
        )
    if config['CONFIG_PROVISION_TEMPEST'] == "y":
        provision_steps.append(
            {'title': 'Adding Provisioning Tempest manifest entries',
             'functions': [create_tempest_manifest]}
        )
    controller.addSequence("Provisioning for Demo and Testing Usage",
                           [], [], provision_steps)
 # -------------------------- step functions --------------------------
 def create_provision_manifest(config, messages):
    manifest_file = '%s_provision.pp' % config['CONFIG_CONTROLLER_HOST']
    manifest_data = getManifestTemplate("provision")
    appendManifestFile(manifest_file, manifest_data, 'provision')
 def create_bridge_manifest(config, messages):
    for host in utils.split_hosts(config['CONFIG_NETWORK_HOSTS']):
        manifest_file = '{}_provision_bridge.pp'.format(host)
        manifest_data = getManifestTemplate("provision_bridge")
        appendManifestFile(manifest_file, manifest_data, 'bridge')
 def create_storage_manifest(config, messages):
    if config['CONFIG_GLANCE_INSTALL'] == 'y':
        template = "provision_glance"
        manifest_file = '%s_provision_glance' % config['CONFIG_STORAGE_HOST']
        manifest_data = getManifestTemplate(template)
        appendManifestFile(manifest_file, manifest_data, 'provision')
 def create_tempest_manifest(config, messages):
    manifest_file = ('%s_provision_tempest.pp' %
                     config['CONFIG_TEMPEST_HOST'])
    manifest_data = getManifestTemplate("provision_tempest")
    appendManifestFile(manifest_file, manifest_data, 'tempest')
--- a/packstack/plugins/puppet_950.py
+++ b/packstack/plugins/puppet_950.py
@@ -25,9 +25,12 @@ from packstack.installer import utils
 from packstack.installer import basedefs
 from packstack.installer.exceptions import PuppetError
 from packstack.installer.exceptions import ScriptRuntimeError
 from packstack.installer.utils import split_hosts
 from packstack.modules.common import filtered_hosts
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import generateHieraDataFile
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import manifestfiles
 from packstack.modules.puppet import validate_logfile
 from packstack.modules.puppet import scan_logfile
@@ -61,6 +64,8 @@ def initSequences(controller):
    controller.insertSequence("Clean Up", [], [], puppetpresteps, index=0)
    puppetsteps = [
        {'title': 'Preparing Puppet manifests',
            'functions': [prepare_puppet_modules]},
        {'title': 'Copying Puppet modules and manifests',
            'functions': [copy_puppet_modules]},
        {'title': 'Applying Puppet manifests',
@@ -237,10 +242,29 @@ def apply_puppet_manifest(config, messages):
            server.append(cmd)
            server.execute(log=logcmd)
-    # wait for outstanding puppet runs befor exiting
+    # wait for outstanding puppet runs before exiting
    wait_for_puppet(currently_running, messages)
 def prepare_puppet_modules(config, messages):
    network_hosts = split_hosts(config['CONFIG_NETWORK_HOSTS'])
    compute_hosts = split_hosts(config['CONFIG_COMPUTE_HOSTS'])
    manifestdata = getManifestTemplate("controller")
    manifestfile = "%s_controller.pp" % config['CONFIG_CONTROLLER_HOST']
    appendManifestFile(manifestfile, manifestdata, marker='controller')
    for host in network_hosts:
        manifestdata = getManifestTemplate("network")
        manifestfile = "%s_network.pp" % host
        appendManifestFile(manifestfile, manifestdata, marker='network')
    for host in compute_hosts:
        manifestdata = getManifestTemplate("compute")
        manifestfile = "%s_compute.pp" % host
        appendManifestFile(manifestfile, manifestdata, marker='compute')
 def finalize(config, messages):
    for hostname in filtered_hosts(config):
        server = utils.ScriptRunner(hostname)
--- a/packstack/plugins/sahara_900.py
+++ b/packstack/plugins/sahara_900.py
@@ -22,10 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------------ Sahara installer initialization ------------------
@@ -78,25 +74,17 @@ def initSequences(controller):
        return
    saharasteps = [
-        {"title": "Adding Sahara Keystone manifest entries",
+        {"title": "Preparing Sahara entries",
         "functions": [create_keystone_manifest]},
        {"title": "Adding Sahara manifest entries",
         "functions": [create_manifest]},
    ]
    controller.addSequence("Installing Sahara", [], [], saharasteps)
 # -------------------------- step functions --------------------------
-
+def create_manifest(config, messages):
 def create_keystone_manifest(config, messages):
    if config['CONFIG_UNSUPPORTED'] != 'y':
        config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST']
    manifestfile = "%s_keystone.pp" % config['CONFIG_SAHARA_HOST']
    manifestdata = getManifestTemplate("keystone_sahara")
    appendManifestFile(manifestfile, manifestdata)
 def create_manifest(config, messages):
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_host = config['CONFIG_SAHARA_HOST']
        ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = (
@@ -109,12 +97,6 @@ def create_manifest(config, messages):
        generate_ssl_cert(config, ssl_host, service, ssl_key_file,
                          ssl_cert_file)
    manifestfile = "%s_sahara.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata = getManifestTemplate(get_mq(config, "sahara"))
    manifestdata += getManifestTemplate("sahara.pp")
    if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
        manifestdata += getManifestTemplate('sahara_ceilometer')
    fw_details = dict()
    key = "sahara-api"
    fw_details.setdefault(key, {})
@@ -124,6 +106,3 @@ def create_manifest(config, messages):
    fw_details[key]["ports"] = ["8386"]
    fw_details[key]["proto"] = "tcp"
    config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
    manifestdata += createFirewallResources("FIREWALL_SAHARA_CFN_RULES")
    appendManifestFile(manifestfile, manifestdata, marker='sahara')
--- a/packstack/plugins/ssl_001.py
+++ b/packstack/plugins/ssl_001.py
@@ -215,8 +215,9 @@ def create_self_signed_cert(config, messages):
    # for now hardcoded place for landing CACert file on servers
    config['CONFIG_SSL_CACERT'] = '/etc/pki/tls/certs/packstack_cacert.crt'
-    if (config['CONFIG_AMQP_ENABLE_SSL'] != 'y' and
+#    if (config['CONFIG_AMQP_ENABLE_SSL'] != 'y' and
-       config["CONFIG_HORIZON_SSL"] != 'y'):
+#       config["CONFIG_HORIZON_SSL"] != 'y'):
    if config['CONFIG_AMQP_ENABLE_SSL'] != 'y':
        return
    config['CONFIG_SSL_CERT_DIR'] = os.path.expanduser(
--- a/packstack/plugins/swift_600.py
+++ b/packstack/plugins/swift_600.py
@@ -16,7 +16,6 @@
 Installs and configures Swift
 """
 import os
 import re
 import uuid
 import netaddr
@@ -29,10 +28,6 @@ from packstack.installer import utils
 from packstack.installer.utils import split_hosts
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import manifestfiles
 # ------------- Swift Packstack Plugin Initialization --------------
@@ -146,16 +141,12 @@ def initSequences(controller):
        return
    steps = [
-        {'title': 'Adding Swift Keystone manifest entries',
+        {'title': 'Preparing Swift builder entries',
         'functions': [create_keystone_manifest]},
        {'title': 'Adding Swift builder manifest entries',
         'functions': [create_builder_manifest]},
-        {'title': 'Adding Swift storage manifest entries',
+        {'title': 'Preparing Swift proxy entries',
         'functions': [create_storage_manifest]},
        {'title': 'Adding Swift common manifest entries',
         'functions': [create_common_manifest]},
        {'title': 'Adding Swift proxy manifest entries',
         'functions': [create_proxy_manifest]},
        {'title': 'Preparing Swift storage entries',
         'functions': [create_storage_manifest]},
    ]
    controller.addSequence("Installing OpenStack Swift", [], [], steps)
@@ -207,6 +198,9 @@ def parse_devices(config):
    if not devices:
        devices.append({'device': None, 'zone': 1,
                        'device_name': 'swiftloopback'})
        config['CONFIG_SWIFT_LOOPBACK'] = 'y'
    else:
        config['CONFIG_SWIFT_LOOPBACK'] = 'n'
    return devices
@@ -245,17 +239,10 @@ def get_storage_size(config):
 # -------------------------- step functions --------------------------
 def create_keystone_manifest(config, messages):
    # parse devices in first step
    global devices
    devices = parse_devices(config)
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_swift")
    appendManifestFile(manifestfile, manifestdata)
 def create_builder_manifest(config, messages):
    global devices
    devices = parse_devices(config)
    # The ring file should be built and distributed before the storage services
    # come up. Specifically the replicator crashes if the ring isn't present
@@ -267,28 +254,28 @@ def create_builder_manifest(config, messages):
               '  weight => 10, }\n')
        return fmt % (dev_type, host, dev_port, devicename, zone)
    manifestfile = "%s_ring_swift.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata = getManifestTemplate("swift_builder")
    # Add each device to the ring
    devicename = 0
-    for device in devices:
+    for configkey, dev_type, dev_port in (
-        host = config['CONFIG_STORAGE_HOST_URL']
+        [('SWIFT_RING_OBJECT_DEVICES', 'ring_object_device', 6000),
-        devicename = device['device_name']
+         ('SWIFT_RING_CONTAINER_DEVICES', 'ring_container_device', 6001),
-        zone = device['zone']
+         ('SWIFT_RING_ACCOUNT_DEVICES', 'ring_account_device', 6002)]):
-        for dev_type, dev_port in [('ring_object_device', 6000),
+        swift_dev_details = dict()
-                                   ('ring_container_device', 6001),
+        host = utils.force_ip(config['CONFIG_STORAGE_HOST_URL'])
-                                   ('ring_account_device', 6002)]:
+        fstype = config["CONFIG_SWIFT_STORAGE_FSTYPE"]
-            manifestdata += device_def(dev_type, host, dev_port, devicename,
+        for device in devices:
-                                       zone)
+            devicename = device['device_name']
-    appendManifestFile(manifestfile, manifestdata, 'swiftbuilder')
+            key = "dev_%s_%s" % (host, devicename)
            swift_dev_details.setdefault(key, {})
            zone = device['zone']
            swift_dev_details[key]['name'] = "%s:%s/%s" % (host, dev_port,
                                                           devicename)
            swift_dev_details[key]['weight'] = "%s" % 10
            swift_dev_details[key]['zone'] = "%s" % zone
        config[configkey] = swift_dev_details
 def create_proxy_manifest(config, messages):
    manifestfile = "%s_swift.pp" % config['CONFIG_STORAGE_HOST']
    manifestdata = getManifestTemplate("swift_proxy")
    if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
        manifestdata += getManifestTemplate("swift_ceilometer_rabbitmq")
    fw_details = dict()
    key = "swift_proxy"
    fw_details.setdefault(key, {})
@@ -299,31 +286,28 @@ def create_proxy_manifest(config, messages):
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_SWIFT_PROXY_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_SWIFT_PROXY_RULES')
    appendManifestFile(manifestfile, manifestdata)
 def create_storage_manifest(config, messages):
    global devices
-    manifestfile = "%s_swift.pp" % config['CONFIG_STORAGE_HOST']
+    devicename = 0
-    manifestdata = getManifestTemplate("swift_storage")
+    swift_dev_details = dict()
    host = utils.force_ip(config['CONFIG_STORAGE_HOST_URL'])
    fstype = config["CONFIG_SWIFT_STORAGE_FSTYPE"]
    # this need to happen once per storage device
    for device in devices:
-        host = config['CONFIG_STORAGE_HOST']
+        if device['device'] is None:
        devicename = device['device_name']
        device = device['device']
        fstype = config["CONFIG_SWIFT_STORAGE_FSTYPE"]
        if device:
            check_device(host, device)
            manifestdata += ('\nswift::storage::%s { "%s":\n'
                             '  device => "%s",\n}\n'
                             % (fstype, devicename, device))
        else:
            # create loopback device if none was specified
            config['CONFIG_SWIFT_STORAGE_SEEK'] = get_storage_size(config)
-            manifestdata += "\n" + getManifestTemplate("swift_loopback")
+        else:
            devicename = device['device_name']
            devicedev = device['device']
            key = "dev_%s_%s" % (host, devicename)
            swift_dev_details.setdefault(key, {})
            swift_dev_details[key]['device'] = "%s" % devicename
            swift_dev_details[key]['dev'] = "%s" % devicedev
            swift_dev_details[key]['fstype'] = "%s" % fstype
    config['CONFIG_SWIFT_STORAGE_DEVICES'] = swift_dev_details
    # set allowed hosts for firewall
    hosts = set([config['CONFIG_STORAGE_HOST']])
@@ -340,13 +324,3 @@ def create_storage_manifest(config, messages):
        fw_details[key]['ports'] = ['6000', '6001', '6002', '873']
        fw_details[key]['proto'] = "tcp"
    config['FIREWALL_SWIFT_STORAGE_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_SWIFT_STORAGE_RULES')
    appendManifestFile(manifestfile, manifestdata)
 def create_common_manifest(config, messages):
    for manifestfile, marker in manifestfiles.getFiles():
        if manifestfile.endswith("_swift.pp"):
            data = getManifestTemplate("swift_common")
            appendManifestFile(os.path.split(manifestfile)[1], data)
--- a/packstack/plugins/trove_850.py
+++ b/packstack/plugins/trove_850.py
@@ -22,10 +22,6 @@ from packstack.installer import validators
 from packstack.installer import processors
 from packstack.modules.documentation import update_params_usage
 from packstack.modules.shortcuts import get_mq
 from packstack.modules.ospluginutils import appendManifestFile
 from packstack.modules.ospluginutils import createFirewallResources
 from packstack.modules.ospluginutils import getManifestTemplate
 from packstack.modules.ospluginutils import generate_ssl_cert
 # ------------------ Trove Packstack Plugin initialization ------------------
@@ -126,23 +122,14 @@ def initSequences(controller):
        return
    steps = [
-        {'title': 'Adding Trove Keystone manifest entries',
+        {'title': 'Preparing Trove entries',
-         'functions': [create_keystone_manifest]},
+         'functions': [create_manifest]}
        {'title': 'Adding Trove manifest entries',
         'functions': [create_manifest]},
    ]
    controller.addSequence("Installing Trove", [], [], steps)
 # ------------------------ step functions --------------------------
 def create_keystone_manifest(config, messages):
    manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
    manifestdata = getManifestTemplate("keystone_trove.pp")
    appendManifestFile(manifestfile, manifestdata)
 def create_manifest(config, messages):
    if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
        ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = (
@@ -160,10 +147,6 @@ def create_manifest(config, messages):
            config['CONFIG_TROVE_NOVA_PW'] == ''):
        config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_TROVE_KS_PW']
    manifestfile = "%s_trove.pp" % config["CONFIG_CONTROLLER_HOST"]
    manifestdata = getManifestTemplate(get_mq(config, "trove"))
    manifestdata += getManifestTemplate('trove.pp')
    fw_details = dict()
    key = "trove"
    fw_details.setdefault(key, {})
@@ -173,6 +156,3 @@ def create_manifest(config, messages):
    fw_details[key]['ports'] = ['8779']
    fw_details[key]['proto'] = "tcp"
    config['FIREWALL_TROVE_API_RULES'] = fw_details
    manifestdata += createFirewallResources('FIREWALL_TROVE_API_RULES')
    appendManifestFile(manifestfile, manifestdata, marker='trove')
--- a/packstack/puppet/modules/packstack/manifests/amqp.pp
+++ b/packstack/puppet/modules/packstack/manifests/amqp.pp
@@ -1,17 +1,8 @@
 $amqp = hiera('CONFIG_AMQP_BACKEND')
 $amqp_enable_ssl = hiera('CONFIG_AMQP_SSL_ENABLED')
 case $amqp  {
  'rabbitmq': {
    enable_rabbitmq { 'rabbitmq': }
  }
  default: {}
 }
 define enable_rabbitmq {
  create_resources(packstack::firewall, hiera('FIREWALL_AMQP_RULES', {}))
  $amqp_enable_ssl = hiera('CONFIG_AMQP_SSL_ENABLED')
-  if $::amqp_enable_ssl {
+  if $amqp_enable_ssl {
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = '/etc/pki/tls/private/ssl_amqp.key'
    $kombu_ssl_certfile = '/etc/pki/tls/certs/ssl_amqp.crt'
@@ -28,7 +19,7 @@ define enable_rabbitmq {
      port                     => undef,
      ssl_port                 => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      ssl_only                 => true,
-      ssl                      => $::amqp_enable_ssl,
+      ssl                      => true,
      ssl_cacert               => $kombu_ssl_ca_certs,
      ssl_cert                 => $kombu_ssl_certfile,
      ssl_key                  => $kombu_ssl_keyfile,
@@ -40,22 +31,22 @@ define enable_rabbitmq {
      # FIXME: it's ugly to not to require client certs
      ssl_fail_if_no_peer_cert => true,
      config_variables         => {
-        'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
+     'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
-        'loopback_users'     => '[]',
+     'loopback_users'     => '[]',
      },
    }
  } else {
    class { '::rabbitmq':
      port             => hiera('CONFIG_AMQP_CLIENTS_PORT'),
-      ssl              => $::amqp_enable_ssl,
+      ssl              => false,
      default_user     => hiera('CONFIG_AMQP_AUTH_USER'),
      default_pass     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      package_provider => 'yum',
      repos_ensure     => false,
      admin_enable     => false,
      config_variables => {
-        'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
+     'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
-        'loopback_users'     => '[]',
+     'loopback_users'     => '[]',
      },
    }
  }
@@ -68,5 +59,31 @@ define enable_rabbitmq {
    group   => 'rabbitmq',
    mode    => '0640',
  }
-
+}
 class packstack::amqp ()
 {
     $amqp = hiera('CONFIG_AMQP_BACKEND')
     case $amqp  {
       'rabbitmq': {
         enable_rabbitmq { 'rabbitmq': }
          # The following kernel parameters help alleviate some RabbitMQ
          # connection issues
          sysctl::value { 'net.ipv4.tcp_keepalive_intvl':
            value => '1',
          }
          sysctl::value { 'net.ipv4.tcp_keepalive_probes':
            value => '5',
          }
          sysctl::value { 'net.ipv4.tcp_keepalive_time':
            value => '5',
          }
       }
       default: {}
     }
 }
--- a/packstack/puppet/modules/packstack/manifests/aodh.pp
+++ b/packstack/puppet/modules/packstack/manifests/aodh.pp
@@ -0,0 +1,36 @@
 class packstack::aodh ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_AODH_RULES', {}))
    $config_aodh_coordination_backend = hiera('CONFIG_CEILOMETER_COORDINATION_BACKEND')
    if $config_aodh_coordination_backend == 'redis' {
      $redis_host = hiera('CONFIG_REDIS_HOST_URL')
      $redis_port = hiera('CONFIG_REDIS_PORT')
      $coordination_url = "redis://${redis_host}:${redis_port}"
    } else {
      $coordination_url = ''
    }
    class { '::aodh::api':
      enabled               => true,
      keystone_password     => hiera('CONFIG_AODH_KS_PW'),
      keystone_identity_uri => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      service_name          => 'httpd',
    }
    class { '::aodh::wsgi::apache':
      workers => hiera('CONFIG_SERVICE_WORKERS'),
      ssl     => false
    }
    class { '::aodh::auth':
      auth_password => hiera('CONFIG_AODH_KS_PW'),
    }
    class { '::aodh::evaluator':
      coordination_url => $coordination_url,
    }
    class { '::aodh::notifier': }
    class { '::aodh::listener': }
    class { '::aodh::client': }
 }
--- a/packstack/puppet/modules/packstack/manifests/aodh/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/aodh/rabbitmq.pp
@@ -0,0 +1,32 @@
 class packstack::aodh::rabbitmq ()
 {
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_AODH_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_AODH_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'aodh',
        group   => 'aodh',
        require => Package['openstack-aodh-common'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'aodh-service' |>
    }
    $config_mongodb_host = hiera('CONFIG_MONGODB_HOST_URL')
    class { '::aodh':
      verbose            => true,
      debug              => hiera('CONFIG_DEBUG_MODE'),
      rabbit_host        => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port        => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl     => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid      => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password    => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile  => $kombu_ssl_keyfile,
      kombu_ssl_certfile => $kombu_ssl_certfile,
      database_connection => "mongodb://${config_mongodb_host}:27017/aodh",
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/apache.pp
+++ b/packstack/puppet/modules/packstack/manifests/apache.pp
@@ -0,0 +1,33 @@
 class packstack::apache ()
 {
    include ::apache
    if hiera('CONFIG_HORIZON_SSL')  == 'y' {
      ensure_packages(['mod_ssl'], {'ensure' => 'present'})
      Package['mod_ssl'] -> Class['::apache']
      apache::listen { '443': }
    }
    # Keystone port
    apache::listen { '5000': }
    # Keystone admin port
    apache::listen { '35357': }
    if hiera('CONFIG_CEILOMETER_INSTALL') == 'y' {
      if hiera('CONFIG_CEILOMETER_SERVICE_NAME') == 'httpd' {
        # Ceilometer port
        apache::listen { '8777': }
      }
    }
    if hiera('CONFIG_AODH_INSTALL') == 'y' {
      # Aodh port
      apache::listen { '8042': }
    }
    if hiera('CONFIG_GNOCCHI_INSTALL') == 'y' {
      # Gnocchi port
      apache::listen { '8041': }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/ceilometer.pp
+++ b/packstack/puppet/modules/packstack/manifests/ceilometer.pp
@@ -0,0 +1,80 @@
 class packstack::ceilometer ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_CEILOMETER_RULES', {}))
    $config_mongodb_host = hiera('CONFIG_MONGODB_HOST_URL')
    $config_ceilometer_coordination_backend = hiera('CONFIG_CEILOMETER_COORDINATION_BACKEND')
    $config_ceilometer_metering_backend = hiera('CONFIG_CEILOMETER_METERING_BACKEND')
    $config_gnocchi_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    if $config_ceilometer_coordination_backend == 'redis' {
      $redis_host = hiera('CONFIG_REDIS_HOST_URL')
      $redis_port = hiera('CONFIG_REDIS_PORT')
      $coordination_url = "redis://${redis_host}:${redis_port}"
      ensure_packages(['python-redis'], {'ensure' => 'present'})
    } else {
      $coordination_url = ''
    }
    if hiera('CONFIG_CEILOMETER_SERVICE_NAME') == 'ceilometer' {
          $ceilometer_service_name = 'openstack-ceilometer-api'
    } else {
          $ceilometer_service_name = 'httpd'
    }
    class { '::ceilometer::db':
      database_connection => "mongodb://${config_mongodb_host}:27017/ceilometer",
    }
    class { '::ceilometer::collector':
      meter_dispatcher => $config_ceilometer_metering_backend,
    }
    if $config_ceilometer_metering_backend == 'gnocchi' {
      include ::gnocchi::client
      class { '::ceilometer::dispatcher::gnocchi':
        filter_service_activity   => false,
        url                       => "http://${config_gnocchi_host}:8041",
        archive_policy            => 'high',
        resources_definition_file => 'gnocchi_resources.yaml',
      }
    }
    class { '::ceilometer::agent::notification': }
    class { '::ceilometer::agent::auth':
      auth_url      => hiera('CONFIG_KEYSTONE_PUBLIC_URL_VERSIONLESS'),
      auth_password => hiera('CONFIG_CEILOMETER_KS_PW'),
      auth_region   => hiera('CONFIG_KEYSTONE_REGION'),
    }
    class { '::ceilometer::agent::central':
      coordination_url => $coordination_url,
    }
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    class { '::ceilometer::api':
      host                  => $bind_host,
      keystone_auth_uri     => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      keystone_identity_uri => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      keystone_password     => hiera('CONFIG_CEILOMETER_KS_PW'),
      api_workers           => hiera('CONFIG_SERVICE_WORKERS'),
      service_name          => $ceilometer_service_name,
    }
    if $ceilometer_service_name == 'httpd' {
       class { '::ceilometer::wsgi::apache':
         ssl => false,
       }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/ceilometer/nova_disabled.pp
+++ b/packstack/puppet/modules/packstack/manifests/ceilometer/nova_disabled.pp
@@ -0,0 +1,8 @@
 class packstack::ceilometer::nova_disabled ()
 {
    group { 'nova':
      ensure => present,
    }
    Group['nova'] -> Class['ceilometer']
 }
--- a/packstack/puppet/modules/packstack/manifests/ceilometer/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/ceilometer/rabbitmq.pp
@@ -0,0 +1,30 @@
 class packstack::ceilometer::rabbitmq ()
 {
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_CEILOMETER_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_CEILOMETER_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'ceilometer',
        group   => 'ceilometer',
        require => Package['openstack-ceilometer-common'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'ceilometer-service' |>
    }
    class { '::ceilometer':
      metering_secret    => hiera('CONFIG_CEILOMETER_SECRET'),
      verbose            => true,
      debug              => hiera('CONFIG_DEBUG_MODE'),
      rabbit_host        => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port        => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl     => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid      => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password    => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile  => $kombu_ssl_keyfile,
      kombu_ssl_certfile => $kombu_ssl_certfile,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/chrony.pp
+++ b/packstack/puppet/modules/packstack/manifests/chrony.pp
@@ -0,0 +1,101 @@
 class packstack::chrony ()
 {
    $cfg_ntp_server_def = hiera('CONFIG_NTP_SERVER_DEF')
    $cfg_ntp_servers    = hiera('CONFIG_NTP_SERVERS')
    $config_content = "
    # Use public servers from the pool.ntp.org project.
    # Please consider joining the pool (http://www.pool.ntp.org/join.html).
    ${cfg_ntp_server_def}
    # Ignore stratum in source selection.
    stratumweight 0
    # Record the rate at which the system clock gains/losses time.
    driftfile /var/lib/chrony/drift
    # Enable kernel RTC synchronization.
    rtcsync
    # In first three updates step the system clock instead of slew
    # if the adjustment is larger than 10 seconds.
    makestep 10 3
    # Allow NTP client access from local network.
    #allow 192.168/16
    # Listen for commands only on localhost.
    bindcmdaddress 127.0.0.1
    bindcmdaddress ::1
    # Serve time even if not synchronized to any NTP server.
    #local stratum 10
    keyfile /etc/chrony.keys
    # Specify the key used as password for chronyc.
    commandkey 1
    # Generate command key if missing.
    generatecommandkey
    # Disable logging of client accesses.
    noclientlog
    # Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
    logchange 0.5
    logdir /var/log/chrony
    #log measurements statistics tracking
    "
    package { 'chrony':
      ensure => 'installed',
      name   => 'chrony',
    }
    package { 'ntpdate':
      ensure => 'installed',
      name   => 'ntpdate',
    }
    file { 'chrony_conf':
      ensure  => file,
      path    => '/etc/chrony.conf',
      mode    => '0644',
      content => $config_content,
    }
    exec { 'stop-chronyd':
      path    => '/bin:/usr/bin:/sbin:/usr/sbin',
      command => 'systemctl stop chronyd.service',
      onlyif  => 'systemctl status chronyd.service'
    }
    # for cases where ntpd is running instead of default chronyd
    service { 'ntpd':
      ensure => stopped,
      enable => false,
    }
    exec { 'ntpdate':
      command => "/usr/sbin/ntpdate ${cfg_ntp_servers}",
      tries   => 3,
    }
    service { 'chronyd':
      ensure     => running,
      enable     => true,
      name       => 'chronyd',
      hasstatus  => true,
      hasrestart => true,
    }
    Package['chrony'] ->
    Package['ntpdate'] ->
    File['chrony_conf'] ->
    Exec['stop-chronyd'] ->
    Service['ntpd'] ->
    Exec['ntpdate'] ->
    Service['chronyd']
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder.pp
@@ -0,0 +1,61 @@
 class packstack::cinder ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_CINDER_RULES', {}))
    create_resources(packstack::firewall, hiera('FIREWALL_CINDER_API_RULES', {}))
    cinder_config {
      'DEFAULT/glance_host': value => hiera('CONFIG_STORAGE_HOST_URL');
    }
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    $cinder_keystone_url = regsubst(regsubst(hiera('CONFIG_KEYSTONE_PUBLIC_URL'),'/v2.0',''),'/v3','')
    class { '::cinder::api':
      bind_host               => $bind_host,
      keystone_password       => hiera('CONFIG_CINDER_KS_PW'),
      keystone_tenant         => 'services',
      keystone_user           => 'cinder',
      auth_uri                => $cinder_keystone_url,
      identity_uri            => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      nova_catalog_info       => 'compute:nova:publicURL',
      nova_catalog_admin_info => 'compute:nova:adminURL',
      service_workers         => hiera('CONFIG_SERVICE_WORKERS'),
    }
    class { '::cinder::scheduler': }
    class { '::cinder::volume': }
    class { '::cinder::client': }
    $cinder_keystone_admin_username = hiera('CONFIG_KEYSTONE_ADMIN_USERNAME')
    $cinder_keystone_admin_password = hiera('CONFIG_KEYSTONE_ADMIN_PW')
    $cinder_keystone_auth_url = hiera('CONFIG_KEYSTONE_PUBLIC_URL')
    $cinder_keystone_api = hiera('CONFIG_KEYSTONE_API_VERSION')
    # Cinder::Type requires keystone credentials
    Cinder::Type {
      os_password    => hiera('CONFIG_CINDER_KS_PW'),
      os_tenant_name => 'services',
      os_username    => 'cinder',
      os_auth_url    => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
    }
    class { '::cinder::backends':
      enabled_backends => hiera_array('CONFIG_CINDER_BACKEND'),
    }
    $db_purge = hiera('CONFIG_CINDER_DB_PURGE_ENABLE')
    if $db_purge {
      class { '::cinder::cron::db_purge':
        hour        => '*/24',
        destination => '/dev/null',
        age         => 1
      }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/gluster.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/gluster.pp
@@ -0,0 +1,16 @@
 class packstack::cinder::backend::gluster ()
 {
    ensure_packages(['glusterfs-fuse'], {'ensure' => 'present'})
    cinder::backend::glusterfs { 'gluster':
      glusterfs_shares        => hiera_array('CONFIG_CINDER_GLUSTER_MOUNTS'),
      require                 => Package['glusterfs-fuse'],
      glusterfs_shares_config => '/etc/cinder/glusterfs_shares.conf',
    }
    cinder::type { 'glusterfs':
      set_key   => 'volume_backend_name',
      set_value => 'gluster',
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/lvm.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/lvm.pp
@@ -0,0 +1,96 @@
 class packstack::cinder::backend::lvm ()
 {
    $create_cinder_volume = hiera('CONFIG_CINDER_VOLUMES_CREATE')
    if $create_cinder_volume == 'y' {
        # Find an available loop device
        $loop_dev = chomp(generate('/usr/sbin/losetup', '-f'))
        class { '::cinder::setup_test_volume':
          size            => hiera('CONFIG_CINDER_VOLUMES_SIZE'),
          loopback_device => $loop_dev,
          volume_path     => '/var/lib/cinder',
          volume_name     => 'cinder-volumes',
        }
        # Add loop device on boot
        $el_releases = ['RedHat', 'CentOS', 'Scientific']
        if $::operatingsystem in $el_releases and (versioncmp($::operatingsystemmajrelease, '7') < 0) {
          file_line{ 'rc.local_losetup_cinder_volume':
            path  => '/etc/rc.d/rc.local',
            match => '^.*/var/lib/cinder/cinder-volumes.*$',
            line  => 'losetup -f /var/lib/cinder/cinder-volumes && service openstack-cinder-volume restart',
          }
          file { '/etc/rc.d/rc.local':
            mode  => '0755',
          }
        } else {
          file { 'openstack-losetup':
            path    => '/usr/lib/systemd/system/openstack-losetup.service',
            before  => Service['openstack-losetup'],
            notify  => Exec['reload systemd files for cinder-volume'],
            content => '[Unit]
    Description=Setup cinder-volume loop device
    DefaultDependencies=false
    Before=openstack-cinder-volume.service
    After=local-fs.target
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/sh -c \'/usr/sbin/losetup -j /var/lib/cinder/cinder-volumes | /usr/bin/grep /var/lib/cinder/cinder-volumes || /usr/sbin/losetup -f /var/lib/cinder/cinder-volumes\'
    ExecStop=/usr/bin/sh -c \'/usr/sbin/losetup -j /var/lib/cinder/cinder-volumes | /usr/bin/cut -d : -f 1 | /usr/bin/xargs /usr/sbin/losetup -d\'
    TimeoutSec=60
    RemainAfterExit=yes
    [Install]
    RequiredBy=openstack-cinder-volume.service',
          }
          exec { 'reload systemd files for cinder-volume':
            command     => '/usr/bin/systemctl daemon-reload',
            refreshonly => true,
            before      => Service['openstack-losetup'],
          }
          service { 'openstack-losetup':
            ensure  => running,
            enable  => true,
            require => Class['cinder::setup_test_volume'],
          }
        }
    }
    else {
        ensure_packages(['lvm2'], {'ensure' => 'present'})
    }
    file_line { 'snapshot_autoextend_threshold':
      path    => '/etc/lvm/lvm.conf',
      match   => '^\s*snapshot_autoextend_threshold +=.*',
      line    => '   snapshot_autoextend_threshold = 80',
      require => Package['lvm2'],
    }
    file_line { 'snapshot_autoextend_percent':
      path    => '/etc/lvm/lvm.conf',
      match   => '^\s*snapshot_autoextend_percent +=.*',
      line    => '   snapshot_autoextend_percent = 20',
      require => Package['lvm2'],
    }
    cinder::backend::iscsi { 'lvm':
      iscsi_ip_address => hiera('CONFIG_STORAGE_HOST_URL'),
      require          => Package['lvm2'],
    }
    cinder::type { 'iscsi':
      set_key   => 'volume_backend_name',
      set_value => 'lvm',
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/netapp.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/netapp.pp
@@ -0,0 +1,133 @@
 # Copyright (c) – 2014, Ryan Hefner.  All rights reserved.
 class packstack::cinder::backend::netapp ()
 {
    $netapp_storage_family = hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY')
    $netapp_storage_protocol = hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL')
    $netapp_backend_name = 'netapp'
    if $netapp_storage_family == 'ontap_cluster' {
      if $netapp_storage_protocol == 'nfs' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login              => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password           => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname    => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port        => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_storage_family     => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol   => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type     => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          netapp_vserver            => hiera('CONFIG_CINDER_NETAPP_VSERVER'),
          expiry_thres_minutes      => hiera('CONFIG_CINDER_NETAPP_EXPIRY_THRES_MINUTES'),
          thres_avl_size_perc_start => hiera('CONFIG_CINDER_NETAPP_THRES_AVL_SIZE_PERC_START'),
          thres_avl_size_perc_stop  => hiera('CONFIG_CINDER_NETAPP_THRES_AVL_SIZE_PERC_STOP'),
          nfs_shares                => hiera_array('CONFIG_CINDER_NETAPP_NFS_SHARES'),
          nfs_shares_config         => hiera('CONFIG_CINDER_NETAPP_NFS_SHARES_CONFIG'),
        }
        ensure_packages(['nfs-utils'], {'ensure' => 'present'})
      }
      elsif $netapp_storage_protocol == 'iscsi' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login            => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password         => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname  => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port      => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_size_multiplier  => hiera('CONFIG_CINDER_NETAPP_SIZE_MULTIPLIER'),
          netapp_storage_family   => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type   => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          netapp_vserver          => hiera('CONFIG_CINDER_NETAPP_VSERVER'),
        }
        ensure_packages(['iscsi-initiator-utils'], {'ensure' => 'present'})
      }
      elsif $netapp_storage_protocol == 'fc' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login            => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password         => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname  => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port      => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_size_multiplier  => hiera('CONFIG_CINDER_NETAPP_SIZE_MULTIPLIER'),
          netapp_storage_family   => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type   => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          netapp_vserver          => hiera('CONFIG_CINDER_NETAPP_VSERVER'),
        }
      }
    }
    elsif $netapp_storage_family == 'ontap_7mode' {
      if $netapp_storage_protocol == 'nfs' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login              => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password           => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname    => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port        => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_storage_family     => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol   => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type     => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          expiry_thres_minutes      => hiera('CONFIG_CINDER_NETAPP_EXPIRY_THRES_MINUTES'),
          thres_avl_size_perc_start => hiera('CONFIG_CINDER_NETAPP_THRES_AVL_SIZE_PERC_START'),
          thres_avl_size_perc_stop  => hiera('CONFIG_CINDER_NETAPP_THRES_AVL_SIZE_PERC_STOP'),
          nfs_shares                => hiera_array('CONFIG_CINDER_NETAPP_NFS_SHARES'),
          nfs_shares_config         => hiera('CONFIG_CINDER_NETAPP_NFS_SHARES_CONFIG'),
        }
        ensure_packages(['nfs-utils'], {'ensure' => 'present'})
      }
      elsif $netapp_storage_protocol == 'iscsi' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login            => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password         => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname  => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port      => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_size_multiplier  => hiera('CONFIG_CINDER_NETAPP_SIZE_MULTIPLIER'),
          netapp_storage_family   => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type   => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          netapp_vfiler           => hiera('CONFIG_CINDER_NETAPP_VFILER'),
          netapp_volume_list      => hiera('CONFIG_CINDER_NETAPP_VOLUME_LIST'),
        }
        ensure_packages(['iscsi-initiator-utils'], {'ensure' => 'present'})
      }
      elsif $netapp_storage_protocol == 'fc' {
        cinder::backend::netapp { $netapp_backend_name:
          netapp_login                => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
          netapp_password             => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
          netapp_server_hostname      => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
          netapp_server_port          => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
          netapp_size_multiplier      => hiera('CONFIG_CINDER_NETAPP_SIZE_MULTIPLIER'),
          netapp_storage_family       => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
          netapp_storage_protocol     => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
          netapp_transport_type       => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
          netapp_vfiler               => hiera('CONFIG_CINDER_NETAPP_VFILER'),
          netapp_partner_backend_name => hiera('CONFIG_CINDER_NETAPP_PARTNER_BACKEND_NAME'),
          netapp_volume_list          => hiera('CONFIG_CINDER_NETAPP_VOLUME_LIST'),
        }
      }
    }
    elsif $netapp_storage_family == 'eseries' {
      cinder::backend::netapp { $netapp_backend_name:
        netapp_login             => hiera('CONFIG_CINDER_NETAPP_LOGIN'),
        netapp_password          => hiera('CONFIG_CINDER_NETAPP_PASSWORD'),
        netapp_server_hostname   => hiera('CONFIG_CINDER_NETAPP_HOSTNAME'),
        netapp_server_port       => hiera('CONFIG_CINDER_NETAPP_SERVER_PORT'),
        netapp_storage_family    => hiera('CONFIG_CINDER_NETAPP_STORAGE_FAMILY'),
        netapp_storage_protocol  => hiera('CONFIG_CINDER_NETAPP_STORAGE_PROTOCOL'),
        netapp_transport_type    => hiera('CONFIG_CINDER_NETAPP_TRANSPORT_TYPE'),
        netapp_controller_ips    => hiera('CONFIG_CINDER_NETAPP_CONTROLLER_IPS'),
        netapp_sa_password       => hiera('CONFIG_CINDER_NETAPP_SA_PASSWORD'),
        netapp_storage_pools     => hiera('CONFIG_CINDER_NETAPP_STORAGE_POOLS'),
        netapp_eseries_host_type => hiera('CONFIG_CINDER_NETAPP_ESERIES_HOST_TYPE'),
        netapp_webservice_path   => hiera('CONFIG_CINDER_NETAPP_WEBSERVICE_PATH'),
      }
        ensure_packages(['iscsi-initiator-utils'], {'ensure' => 'present'})
    }
    cinder::type { $netapp_backend_name:
      set_key   => 'volume_backend_name',
      set_value => $netapp_backend_name,
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/nfs.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/nfs.pp
@@ -0,0 +1,16 @@
 class packstack::cinder::backend::nfs ()
 {
    ensure_packages(['nfs-utils'], {'ensure' => 'present'})
    cinder::backend::nfs { 'nfs':
      nfs_servers       => hiera_array('CONFIG_CINDER_NFS_MOUNTS'),
      require           => Package['nfs-utils'],
      nfs_shares_config => '/etc/cinder/nfs_shares.conf',
    }
    cinder::type { 'nfs':
      set_key   => 'volume_backend_name',
      set_value => 'nfs',
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/solidfire.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/solidfire.pp
@@ -0,0 +1,20 @@
 # Copyright (c) – 2016, Edward Balduf. All rights reserved.
 class packstack::cinder::backend::solidfire ()
 {
    $solidfire_backend_name = 'solidfire'
    cinder::backend::solidfire { $solidfire_backend_name :
        san_ip               => hiera('CONFIG_CINDER_SOLIDFIRE_LOGIN'),
        san_login            => hiera('CONFIG_CINDER_SOLIDFIRE_PASSWORD'),
        san_password         => hiera('CONFIG_CINDER_SOLIDFIRE_HOSTNAME'),
        volume_backend_name  => $solidfire_backend_name,
    }
    ensure_packages(['iscsi-initiator-utils'], {'ensure' => 'present'})
    cinder::type { $solidfire_backend_name:
      set_key   => 'volume_backend_name',
      set_value => $solidfire_backend_name,
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backend/vmdk.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backend/vmdk.pp
@@ -0,0 +1,14 @@
 class packstack::cinder::backend::vmdk ()
 {
    cinder::backend::vmdk { 'vmdk':
      host_ip       => hiera('CONFIG_VCENTER_HOST'),
      host_username => hiera('CONFIG_VCENTER_USER'),
      host_password => hiera('CONFIG_VCENTER_PASSWORD'),
    }
    cinder::type { 'vmdk':
      set_key   => 'volume_backend_name',
      set_value => 'vmdk',
      require   => Class['cinder::api'],
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/backup.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/backup.pp
@@ -0,0 +1,12 @@
 class packstack::cinder::backup ()
 {
    class { '::cinder::backup': }
    $cinder_backup_conf_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    class { '::cinder::backup::swift':
      backup_swift_url => "http://${cinder_backup_conf_ctrl_host}:8080/v1/AUTH_",
    }
    Class['cinder::api'] ~> Service['cinder-backup']
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/ceilometer.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/ceilometer.pp
@@ -0,0 +1,4 @@
 class packstack::cinder::ceilometer ()
 {
    class { '::cinder::ceilometer': }
 }
--- a/packstack/puppet/modules/packstack/manifests/cinder/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/cinder/rabbitmq.pp
@@ -0,0 +1,33 @@
 class packstack::cinder::rabbitmq ()
 {
    $cinder_rab_cfg_cinder_db_pw = hiera('CONFIG_CINDER_DB_PW')
    $cinder_rab_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_CINDER_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_CINDER_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'cinder',
        group   => 'cinder',
        require => Class['cinder'],
        notify  => Service['cinder-api'],
      }
    }
    class { '::cinder':
      rabbit_host         => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl      => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid       => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      database_connection => "mysql+pymysql://cinder:${cinder_rab_cfg_cinder_db_pw}@${cinder_rab_cfg_mariadb_host}/cinder",
      verbose             => true,
      debug               => hiera('CONFIG_DEBUG_MODE'),
      kombu_ssl_ca_certs  => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile   => $kombu_ssl_keyfile,
      kombu_ssl_certfile  => $kombu_ssl_certfile,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/glance.pp
+++ b/packstack/puppet/modules/packstack/manifests/glance.pp
@@ -0,0 +1,51 @@
 class packstack::glance ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_GLANCE_RULES', {}))
    $glance_ks_pw = hiera('CONFIG_GLANCE_DB_PW')
    $glance_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    $glance_cfg_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    # glance option bind_host requires address without brackets
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    # magical hack for magical config - glance option registry_host requires brackets
    $registry_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '[::0]',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    class { '::glance::api':
      bind_host           => $bind_host,
      registry_host       => $registry_host,
      auth_uri            => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      identity_uri        => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      keystone_tenant     => 'services',
      keystone_user       => 'glance',
      keystone_password   => hiera('CONFIG_GLANCE_KS_PW'),
      pipeline            => 'keystone',
      database_connection => "mysql+pymysql://glance:${glance_ks_pw}@${glance_mariadb_host}/glance",
      verbose             => true,
      debug               => hiera('CONFIG_DEBUG_MODE'),
      os_region_name      => hiera('CONFIG_KEYSTONE_REGION'),
      workers             => hiera('CONFIG_SERVICE_WORKERS'),
      known_stores        => ['file', 'http', 'swift']
    }
    class { '::glance::registry':
      auth_uri            => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      identity_uri        => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      bind_host           => $bind_host,
      keystone_tenant     => 'services',
      keystone_user       => 'glance',
      keystone_password   => hiera('CONFIG_GLANCE_KS_PW'),
      database_connection => "mysql+pymysql://glance:${glance_ks_pw}@${glance_mariadb_host}/glance",
      verbose             => true,
      debug               => hiera('CONFIG_DEBUG_MODE'),
      workers             => hiera('CONFIG_SERVICE_WORKERS'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/glance/backend/file.pp
+++ b/packstack/puppet/modules/packstack/manifests/glance/backend/file.pp
@@ -0,0 +1,7 @@
 class packstack::glance::backend::file ()
 {
    # TO-DO: Make this configurable
    class { '::glance::backend::file':
      filesystem_store_datadir => '/var/lib/glance/images/',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/glance/backend/swift.pp
+++ b/packstack/puppet/modules/packstack/manifests/glance/backend/swift.pp
@@ -0,0 +1,12 @@
 class packstack::glance::backend::swift ()
 {
    class { '::glance::backend::swift':
      swift_store_user                    => 'services:glance',
      swift_store_key                     => hiera('CONFIG_GLANCE_KS_PW'),
      swift_store_auth_address            => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      swift_store_container               => 'glance',
      swift_store_auth_version            => '2',
      swift_store_large_object_size       => '5120',
      swift_store_create_container_on_put => true,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/glance/ceilometer.pp
+++ b/packstack/puppet/modules/packstack/manifests/glance/ceilometer.pp
@@ -0,0 +1,29 @@
 class packstack::glance::ceilometer ()
 {
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_GLANCE_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_GLANCE_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'glance',
        group   => 'glance',
        require => Class['::glance::notify::rabbitmq'],
        notify  => Service['glance-api'],
      }
    }
    class { '::glance::notify::rabbitmq':
      rabbit_host                  => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_notification_exchange => 'glance',
      rabbit_notification_topic    => 'notifications',
      rabbit_port                  => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl               => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid                => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password              => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      kombu_ssl_ca_certs           => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile            => $kombu_ssl_keyfile,
      kombu_ssl_certfile           => $kombu_ssl_certfile,
      notification_driver          => 'messagingv2',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/gnocchi.pp
+++ b/packstack/puppet/modules/packstack/manifests/gnocchi.pp
@@ -0,0 +1,50 @@
 class packstack::gnocchi ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_GNOCCHI_RULES', {}))
    $gnocchi_cfg_db_pw = hiera('CONFIG_GNOCCHI_DB_PW')
    $gnocchi_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    class { '::gnocchi::wsgi::apache':
      workers => hiera('CONFIG_SERVICE_WORKERS'),
      ssl     => false
    }
    class { '::gnocchi':
      database_connection => "mysql+pymysql://gnocchi:${gnocchi_cfg_db_pw}@${gnocchi_cfg_mariadb_host}/gnocchi?charset=utf8",
    }
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
     'ipv6'  => '::0',
     default => '0.0.0.0',
    }
    class { '::gnocchi::api':
      host                   => $bind_host,
      keystone_identity_uri  => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      keystone_password      => hiera('CONFIG_GNOCCHI_KS_PW'),
      keystone_auth_uri      => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      service_name           => 'httpd',
    }
    # TO-DO: Remove this workaround as soon as module support is implemented (see rhbz#1300662)
    gnocchi_config {
      'keystone_authtoken/auth_version': value => hiera('CONFIG_KEYSTONE_API_VERSION');
    }
    class { '::gnocchi::db::sync': }
    class { '::gnocchi::storage': }
    class { '::gnocchi::storage::file': }
    class {'::gnocchi::metricd': }
    class {'::gnocchi::statsd':
      resource_id         => '5e3fcbe2-7aab-475d-b42c-a440aa42e5ad',
      user_id             => 'e0ca4711-1128-422c-abd6-62db246c32e7',
      project_id          => 'af0c88e8-90d8-4795-9efe-57f965e67318',
      archive_policy_name => 'high',
      flush_delay         => '10',
    }
    include ::gnocchi::client
 }
--- a/packstack/puppet/modules/packstack/manifests/heat.pp
+++ b/packstack/puppet/modules/packstack/manifests/heat.pp
@@ -0,0 +1,22 @@
 class packstack::heat ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_HEAT_RULES', {}))
    class { '::heat::api': }
    $keystone_admin = hiera('CONFIG_KEYSTONE_ADMIN_USERNAME')
    $heat_cfg_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    class { '::heat::engine':
      heat_metadata_server_url      => "http://${heat_cfg_ctrl_host}:8000",
      heat_waitcondition_server_url => "http://${heat_cfg_ctrl_host}:8000/v1/waitcondition",
      heat_watch_server_url         => "http://${heat_cfg_ctrl_host}:8003",
      auth_encryption_key           => hiera('CONFIG_HEAT_AUTH_ENC_KEY'),
    }
    class { '::heat::keystone::domain':
      domain_name       => hiera('CONFIG_HEAT_DOMAIN'),
      domain_admin      => hiera('CONFIG_HEAT_DOMAIN_ADMIN'),
      domain_password   => hiera('CONFIG_HEAT_DOMAIN_PASSWORD'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/heat/cfn.pp
+++ b/packstack/puppet/modules/packstack/manifests/heat/cfn.pp
@@ -0,0 +1,17 @@
 class packstack::heat::cfn ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_HEAT_CFN_RULES', {}))
    class { '::heat::api_cfn':
      workers => hiera('CONFIG_SERVICE_WORKERS'),
    }
    $heat_cfn_cfg_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    class { '::heat::keystone::auth_cfn':
      admin_url    => "http://$heat_cfn_cfg_ctrl_host:8000/v1",
      public_url   => "http://$heat_cfn_cfg_ctrl_host:8000/v1",
      internal_url => "http://$heat_cfn_cfg_ctrl_host:8000/v1",
      password     => hiera('CONFIG_HEAT_KS_PW'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/heat/cloudwatch.pp
+++ b/packstack/puppet/modules/packstack/manifests/heat/cloudwatch.pp
@@ -0,0 +1,8 @@
 class packstack::heat::cloudwatch ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_HEAT_CLOUDWATCH_RULES', {}))
    class { '::heat::api_cloudwatch':
      workers => hiera('CONFIG_SERVICE_WORKERS'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/heat/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/heat/rabbitmq.pp
@@ -0,0 +1,45 @@
 class packstack::heat::rabbitmq ()
 {
    $heat_rabbitmq_cfg_heat_db_pw = hiera('CONFIG_HEAT_DB_PW')
    $heat_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', $::os_service_default)
    $kombu_ssl_keyfile = hiera('CONFIG_HEAT_SSL_KEY', $::os_service_default)
    $kombu_ssl_certfile = hiera('CONFIG_HEAT_SSL_CERT', $::os_service_default)
    if ! is_service_default($kombu_ssl_keyfile) {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'heat',
        group   => 'heat',
        require => Package['heat-common'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'heat-service' |>
    }
    if hiera('CONFIG_CEILOMETER_INSTALL') == 'y' {
      $heat_notification_driver = 'messagingv2'
    } else {
      $heat_notification_driver = $::os_service_default
    }
    class { '::heat':
      keystone_password   => hiera('CONFIG_HEAT_KS_PW'),
      auth_uri            => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      identity_uri        => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      keystone_ec2_uri    => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      rpc_backend         => 'rabbit',
      rabbit_host         => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl      => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid       => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      verbose             => true,
      debug               => hiera('CONFIG_DEBUG_MODE'),
      database_connection => "mysql+pymysql://heat:${heat_rabbitmq_cfg_heat_db_pw}@${heat_rabbitmq_cfg_mariadb_host}/heat",
      kombu_ssl_ca_certs  => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile   => $kombu_ssl_keyfile,
      kombu_ssl_certfile  => $kombu_ssl_certfile,
      notification_driver => $heat_notification_driver,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/horizon.pp
+++ b/packstack/puppet/modules/packstack/manifests/horizon.pp
@@ -0,0 +1,59 @@
 class packstack::horizon ()
 {
    $is_django_debug = hiera('CONFIG_DEBUG_MODE') ? {
      true  => 'True',
      false => 'False',
    }
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    $horizon_ssl = hiera('CONFIG_HORIZON_SSL') ? {
      'y' => true,
      'n' => false,
    }
    class {'::horizon':
      secret_key            => hiera('CONFIG_HORIZON_SECRET_KEY'),
      keystone_url          => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      keystone_default_role => '_member_',
      server_aliases        => [hiera('CONFIG_CONTROLLER_HOST'), $::fqdn, 'localhost'],
      allowed_hosts         => '*',
      hypervisor_options    => {'can_set_mount_point' => false, },
      django_debug          => $is_django_debug,
      django_session_engine => 'django.contrib.sessions.backends.cache',
      cache_backend         => 'django.core.cache.backends.memcached.MemcachedCache',
      cache_server_ip       => '127.0.0.1',
      cache_server_port     => '11211',
      file_upload_temp_dir  => '/var/tmp',
      listen_ssl            => $horizon_ssl,
      horizon_cert          => hiera('CONFIG_HORIZON_SSL_CERT', undef),
      horizon_key           => hiera('CONFIG_HORIZON_SSL_KEY', undef),
      horizon_ca            => hiera('CONFIG_HORIZON_SSL_CACERT', undef),
      neutron_options       => {
        'enable_lb'       => hiera('CONFIG_HORIZON_NEUTRON_LB'),
        'enable_firewall' => hiera('CONFIG_HORIZON_NEUTRON_FW'),
        'enable_vpn'      => hiera('CONFIG_HORIZON_NEUTRON_VPN'),
      },
    }
    include '::packstack::memcached'
    $firewall_port = hiera('CONFIG_HORIZON_PORT')
    firewall { "001 horizon ${firewall_port} incoming":
      proto  => 'tcp',
      dport  => [$firewall_port],
      action => 'accept',
    }
    if str2bool($::selinux) {
      selboolean{ 'httpd_can_network_connect':
        value      => on,
        persistent => true,
      }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/ironic.pp
+++ b/packstack/puppet/modules/packstack/manifests/ironic.pp
@@ -0,0 +1,17 @@
 class packstack::ironic ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_IRONIC_API_RULES', {}))
    ironic_config {
      'glance/glance_host': value => hiera('CONFIG_STORAGE_HOST_URL');
    }
    class { '::ironic::api':
      auth_uri       => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      admin_password => hiera('CONFIG_IRONIC_KS_PW'),
    }
    class { '::ironic::client': }
    class { '::ironic::conductor': }
 }
--- a/packstack/puppet/modules/packstack/manifests/ironic/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/ironic/rabbitmq.pp
@@ -0,0 +1,34 @@
 class packstack::ironic::rabbitmq ()
 {
    $ironic_rabbitmq_cfg_ironic_db_pw = hiera('CONFIG_IRONIC_DB_PW')
    $ironic_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_IRONIC_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_IRONIC_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'ironic',
        group   => 'ironic',
        require => Package['ironic-common'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'ironic-service' |>
    }
    class { '::ironic':
      rpc_backend         => 'rabbit',
      rabbit_host         => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl      => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid       => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      database_connection => "mysql+pymysql://ironic:${ironic_rabbitmq_cfg_ironic_db_pw}@${ironic_rabbitmq_cfg_mariadb_host}/ironic",
      debug               => true,
      verbose             => true,
      kombu_ssl_ca_certs  => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile   => $kombu_ssl_keyfile,
      kombu_ssl_certfile  => $kombu_ssl_certfile,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone.pp
@@ -0,0 +1,135 @@
 class packstack::keystone ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_KEYSTONE_RULES', {}))
    $keystone_use_ssl = false
    $keystone_cfg_ks_db_pw = hiera('CONFIG_KEYSTONE_DB_PW')
    $keystone_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    $keystone_token_provider_str = downcase(hiera('CONFIG_KEYSTONE_TOKEN_FORMAT'))
    $keystone_url = regsubst(regsubst(hiera('CONFIG_KEYSTONE_PUBLIC_URL'),'/v2.0',''),'/v3','')
    $keystone_admin_url = hiera('CONFIG_KEYSTONE_ADMIN_URL')
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    class { '::keystone::client': }
    if hiera('CONFIG_KEYSTONE_DB_PURGE_ENABLE',false) {
      class { '::keystone::cron::token_flush':
        minute      => '*/1',
        require     => Service['crond'],
        destination => '/dev/null',
      }
      service { 'crond':
        ensure => 'running',
        enable => true,
      }
    }
    class { '::keystone':
      admin_token         => hiera('CONFIG_KEYSTONE_ADMIN_TOKEN'),
      database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone",
      token_provider      => "keystone.token.providers.${keystone_token_provider_str}.Provider",
      verbose             => true,
      debug               => hiera('CONFIG_DEBUG_MODE'),
      service_name        => 'httpd',
      enable_ssl          => $keystone_use_ssl,
      public_bind_host    => $bind_host,
      admin_bind_host     => $bind_host,
      default_domain      => 'Default',
    }
    class { '::keystone::wsgi::apache':
      workers => hiera('CONFIG_SERVICE_WORKERS'),
      ssl     => $keystone_use_ssl
    }
    if hiera('CONFIG_HEAT_INSTALL') == 'y' {
      $keystone_admin_roles = ['admin', '_member_', 'heat_stack_owner']
    } else {
      $keystone_admin_roles = ['admin']
    }
    # Ensure the default _member_ role is present
    keystone_role { '_member_':
      ensure => present,
    } ->
    class { '::keystone::roles::admin':
      email        => hiera('CONFIG_KEYSTONE_ADMIN_EMAIL'),
      admin        => hiera('CONFIG_KEYSTONE_ADMIN_USERNAME'),
      password     => hiera('CONFIG_KEYSTONE_ADMIN_PW'),
      admin_tenant => 'admin',
      admin_roles  => $keystone_admin_roles,
    }
    class { '::keystone::endpoint':
      default_domain => 'Default',
      public_url     => $keystone_url,
      internal_url   => $keystone_url,
      admin_url      => $keystone_admin_url,
      region         => hiera('CONFIG_KEYSTONE_REGION'),
      # so far enforce v2 as default endpoint
      version        => 'v2.0',
    }
    # default assignment driver is SQL
    $assignment_driver = 'keystone.assignment.backends.sql.Assignment'
    if hiera('CONFIG_KEYSTONE_IDENTITY_BACKEND') == 'ldap' {
      if hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN', undef) {
        $user_enabled_emulation = true
      } else {
        $user_enabled_emulation = false
      }
      class { '::keystone::ldap':
        url                                => hiera_undef('CONFIG_KEYSTONE_LDAP_URL', undef),
        user                               => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_DN', undef),
        password                           => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_PASSWORD', undef),
        suffix                             => hiera_undef('CONFIG_KEYSTONE_LDAP_SUFFIX', undef),
        query_scope                        => hiera_undef('CONFIG_KEYSTONE_LDAP_QUERY_SCOPE', undef),
        page_size                          => hiera_undef('CONFIG_KEYSTONE_LDAP_PAGE_SIZE', undef),
        user_tree_dn                       => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_SUBTREE', undef),
        user_filter                        => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_FILTER', undef),
        user_objectclass                   => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_OBJECTCLASS', undef),
        user_id_attribute                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ID_ATTRIBUTE', undef),
        user_name_attribute                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_NAME_ATTRIBUTE', undef),
        user_mail_attribute                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_MAIL_ATTRIBUTE', undef),
        user_enabled_attribute             => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_ATTRIBUTE', undef),
        user_enabled_mask                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_MASK', undef),
        user_enabled_default               => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_DEFAULT', undef),
        user_enabled_invert                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_INVERT', undef),
        user_attribute_ignore              => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ATTRIBUTE_IGNORE', undef),
        user_default_project_id_attribute  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_DEFAULT_PROJECT_ID_ATTRIBUTE', undef),
        user_allow_create                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_CREATE', undef),
        user_allow_update                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_UPDATE', undef),
        user_allow_delete                  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ALLOW_DELETE', undef),
        user_pass_attribute                => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_PASS_ATTRIBUTE', undef),
        user_enabled_emulation             => $user_enabled_emulation,
        user_enabled_emulation_dn          => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ENABLED_EMULATION_DN', undef),
        user_additional_attribute_mapping  => hiera_undef('CONFIG_KEYSTONE_LDAP_USER_ADDITIONAL_ATTRIBUTE_MAPPING', undef),
        group_tree_dn                      => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_SUBTREE', undef),
        group_filter                       => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_FILTER', undef),
        group_objectclass                  => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_OBJECTCLASS', undef),
        group_id_attribute                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ID_ATTRIBUTE', undef),
        group_name_attribute               => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_NAME_ATTRIBUTE', undef),
        group_member_attribute             => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_MEMBER_ATTRIBUTE', undef),
        group_desc_attribute               => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_DESC_ATTRIBUTE', undef),
        group_attribute_ignore             => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ATTRIBUTE_IGNORE', undef),
        group_allow_create                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_CREATE', undef),
        group_allow_update                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_UPDATE', undef),
        group_allow_delete                 => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ALLOW_DELETE', undef),
        group_additional_attribute_mapping => hiera_undef('CONFIG_KEYSTONE_LDAP_GROUP_ADDITIONAL_ATTRIBUTE_MAPPING', undef),
        use_tls                            => hiera_undef('CONFIG_KEYSTONE_LDAP_USE_TLS', undef),
        tls_cacertdir                      => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_CACERTDIR', undef),
        tls_cacertfile                     => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_CACERTFILE', undef),
        tls_req_cert                       => hiera_undef('CONFIG_KEYSTONE_LDAP_TLS_REQ_CERT', undef),
        identity_driver                    => 'keystone.identity.backends.ldap.Identity',
        assignment_driver                  => $assignment_driver,
      }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/aodh.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/aodh.pp
@@ -0,0 +1,12 @@
 class packstack::keystone::aodh ()
 {
    $keystone_host_url = hiera('CONFIG_KEYSTONE_HOST_URL')
    class { '::aodh::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_AODH_KS_PW'),
      public_url   => "http://${keystone_host_url}:8042",
      admin_url    => "http://${keystone_host_url}:8042",
      internal_url => "http://${keystone_host_url}:8042",
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/ceilometer.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/ceilometer.pp
@@ -0,0 +1,15 @@
 class packstack::keystone::ceilometer ()
 {
    $ceilometer_protocol = 'http'
    $ceilometer_port = '8777'
    $ceilometer_api_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $ceilometer_url = "${ceilometer_protocol}://${ceilometer_api_host}:${ceilometer_port}"
    class { '::ceilometer::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_CEILOMETER_KS_PW'),
      public_url   => $ceilometer_url,
      admin_url    => $ceilometer_url,
      internal_url => $ceilometer_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/cinder.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/cinder.pp
@@ -0,0 +1,21 @@
 class packstack::keystone::cinder ()
 {
    $cinder_protocol = 'http'
    $cinder_host = hiera('CONFIG_STORAGE_HOST_URL')
    $cinder_port = '8776'
    $cinder_url = "${cinder_protocol}://${cinder_host}:$cinder_port"
    class { '::cinder::keystone::auth':
      region          => hiera('CONFIG_KEYSTONE_REGION'),
      password        => hiera('CONFIG_CINDER_KS_PW'),
      public_url      => "${cinder_url}/v1/%(tenant_id)s",
      internal_url    => "${cinder_url}/v1/%(tenant_id)s",
      admin_url       => "${cinder_url}/v1/%(tenant_id)s",
      public_url_v2   => "${cinder_url}/v2/%(tenant_id)s",
      internal_url_v2 => "${cinder_url}/v2/%(tenant_id)s",
      admin_url_v2    => "${cinder_url}/v2/%(tenant_id)s",
      public_url_v3   => "${cinder_url}/v3/%(tenant_id)s",
      internal_url_v3 => "${cinder_url}/v3/%(tenant_id)s",
      admin_url_v3    => "${cinder_url}/v3/%(tenant_id)s",
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/glance.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/glance.pp
@@ -0,0 +1,15 @@
 class packstack::keystone::glance ()
 {
    $glance_protocol = 'http'
    $glance_port = '9292'
    $glance_api_host = hiera('CONFIG_STORAGE_HOST_URL')
    $glance_url = "${glance_protocol}://${glance_api_host}:${glance_port}"
    class { '::glance::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_GLANCE_KS_PW'),
      public_url   => $glance_url,
      admin_url    => $glance_url,
      internal_url => $glance_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/gnocchi.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/gnocchi.pp
@@ -0,0 +1,12 @@
 class packstack::keystone::gnocchi ()
 {
    $gnocchi_keystone_host_url = hiera('CONFIG_KEYSTONE_HOST_URL')
    class { '::gnocchi::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_GNOCCHI_KS_PW'),
      public_url   => "http://${gnocchi_keystone_host_url}:8041",
      admin_url    => "http://${gnocchi_keystone_host_url}:8041",
      internal_url => "http://${gnocchi_keystone_host_url}:8041",
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/heat.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/heat.pp
@@ -0,0 +1,17 @@
 class packstack::keystone::heat ()
 {
    $heat_protocol = 'http'
    $heat_port = '8004'
    $heat_api_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $heat_url = "${heat_protocol}://${heat_api_host}:${heat_port}/v1/%(tenant_id)s"
    # heat::keystone::auth
    class { '::heat::keystone::auth':
      region                    => hiera('CONFIG_KEYSTONE_REGION'),
      password                  => hiera('CONFIG_HEAT_KS_PW'),
      public_url                => $heat_url,
      admin_url                 => $heat_url,
      internal_url              => $heat_url,
      configure_delegated_roles => true,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/ironic.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/ironic.pp
@@ -0,0 +1,15 @@
 class packstack::keystone::ironic ()
 {
    $ironic_protocol = 'http'
    $ironic_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $ironic_port = '6385'
    $ironic_url = "${ironic_protocol}://${ironic_host}:$ironic_port"
    class { '::ironic::keystone::auth':
        region       => hiera('CONFIG_KEYSTONE_REGION'),
        password     => hiera('CONFIG_IRONIC_KS_PW'),
        public_url   => $ironic_url,
        admin_url    => $ironic_url,
        internal_url => $ironic_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/manila.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/manila.pp
@@ -0,0 +1,18 @@
 class packstack::keystone::manila ()
 {
    $manila_protocol = 'http'
    $manila_host = hiera('CONFIG_STORAGE_HOST_URL')
    $manila_port = '8786'
    $manila_url = "${manila_protocol}://${manila_host}:$manila_port/v1/%(tenant_id)s"
    $manila_url_v2 = "${manila_protocol}://${manila_host}:$manila_port/v2/%(tenant_id)s"
    class { '::manila::keystone::auth':
      password        => hiera('CONFIG_MANILA_KS_PW'),
      public_url      => $manila_url,
      admin_url       => $manila_url,
      internal_url    => $manila_url,
      public_url_v2   => $manila_url_v2,
      admin_url_v2    => $manila_url_v2,
      internal_url_v2 => $manila_url_v2,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/neutron.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/neutron.pp
@@ -0,0 +1,15 @@
 class packstack::keystone::neutron ()
 {
    $neutron_protocol = 'http'
    $neutron_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $neutron_port = '9696'
    $neutron_url = "${neutron_protocol}://${neutron_host}:$neutron_port"
    class { '::neutron::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_NEUTRON_KS_PW'),
      public_url   => $neutron_url,
      admin_url    => $neutron_url,
      internal_url => $neutron_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/nova.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/nova.pp
@@ -0,0 +1,19 @@
 class packstack::keystone::nova ()
 {
    $nova_protocol = 'http'
    $nova_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $nova_port = '8774'
    $nova_url = "${nova_protocol}://${nova_host}:$nova_port/v2/%(tenant_id)s"
    $nova_v3_url = "${nova_protocol}://${nova_host}:$nova_port/v3"
    class { '::nova::keystone::auth':
      region          => hiera('CONFIG_KEYSTONE_REGION'),
      password        => hiera('CONFIG_NOVA_KS_PW'),
      public_url      => $nova_url,
      admin_url       => $nova_url,
      internal_url    => $nova_url,
      public_url_v3   => $nova_v3_url,
      admin_url_v3    => $nova_v3_url,
      internal_url_v3 => $nova_v3_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/sahara.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/sahara.pp
@@ -0,0 +1,14 @@
 class packstack::keystone::sahara ()
 {
    $sahara_protocol = 'http'
    $sahara_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $sahara_port = '8386'
    $sahara_url = "${sahara_protocol}://${sahara_host}:$sahara_port/v1.1/%(tenant_id)s"
    class { '::sahara::keystone::auth':
      password     => hiera('CONFIG_SAHARA_KS_PW'),
      public_url   => $sahara_url,
      admin_url    => $sahara_url,
      internal_url => $sahara_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/swift.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/swift.pp
@@ -0,0 +1,17 @@
 class packstack::keystone::swift ()
 {
    $swift_protocol = 'http'
    $swift_host = hiera('CONFIG_STORAGE_HOST_URL')
    $swift_port = '8080'
    $swift_url = "${swift_protocol}://${swift_host}:$swift_port/v1/AUTH_%(tenant_id)s"
    class { '::swift::keystone::auth':
      region          => hiera('CONFIG_KEYSTONE_REGION'),
      password        => hiera('CONFIG_SWIFT_KS_PW'),
      operator_roles  => ['admin', 'SwiftOperator', 'ResellerAdmin'],
      public_url      => $swift_url,
      internal_url    => $swift_url,
      admin_url       => $swift_url,
      configure_s3_endpoint  => false,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/keystone/trove.pp
+++ b/packstack/puppet/modules/packstack/manifests/keystone/trove.pp
@@ -0,0 +1,15 @@
 class packstack::keystone::trove ()
 {
    $trove_protocol = 'http'
    $trove_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    $trove_port = '8779'
    $trove_url = "${trove_protocol}://${trove_host}:$trove_port/v1.0/%(tenant_id)s"
    class { '::trove::keystone::auth':
      region       => hiera('CONFIG_KEYSTONE_REGION'),
      password     => hiera('CONFIG_TROVE_KS_PW'),
      public_url   => $trove_url,
      admin_url    => $trove_url,
      internal_url => $trove_url,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila.pp
@@ -0,0 +1,32 @@
 class packstack::manila ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_MANILA_API_RULES', {}))
    manila_config {
      'DEFAULT/glance_host': value => hiera('CONFIG_STORAGE_HOST_URL');
    }
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    class { '::manila::api':
      bind_host          => $bind_host,
      keystone_password  => hiera('CONFIG_MANILA_KS_PW'),
      keystone_tenant    => 'services',
      keystone_user      => 'manila',
      keystone_auth_uri  => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
    }
    class { '::manila::scheduler':
    }
    class { '::manila::share':
    }
    class { '::manila::backends':
      enabled_share_backends => hiera('CONFIG_MANILA_BACKEND'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/backend/generic.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/backend/generic.pp
@@ -0,0 +1,50 @@
 class packstack::manila::backend::generic ()
 {
    ensure_packages(['nfs-utils'], {'ensure' => 'present'})
    manila::backend::generic{ 'generic':
      driver_handles_share_servers => hiera('CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS'),
      volume_name_template         => hiera('CONFIG_MANILA_GENERIC_VOLUME_NAME_TEMPLATE'),
      share_mount_path             => hiera('CONFIG_MANILA_GENERIC_SHARE_MOUNT_PATH'),
    }
    packstack::manila::network{ 'generic': }
    if ($::manila_network_type == 'neutron'){
      $service_instance_network_helper_type = 'neutron'
    }
    elsif ($::manila_network_type == 'nova-network'){
      $service_instance_network_helper_type = 'nova'
    }
    $admin_username = hiera('CONFIG_KEYSTONE_ADMIN_USERNAME')
    $admin_password = hiera('CONFIG_KEYSTONE_ADMIN_PW')
    $admin_tenant   = 'admin'
    $keystone_url   = hiera('CONFIG_KEYSTONE_PUBLIC_URL')
    nova_flavor { 'm1.manila':
      ensure => present,
      id     => '66',
      ram    => '512',
      disk   => '0',
      vcpus  => '1',
      require => [ Class['::nova::api'], Class['::nova::keystone::auth'] ],
    } ->
    manila::service_instance{ 'generic':
      service_image_location               => hiera('CONFIG_MANILA_SERVICE_IMAGE_LOCATION'),
      service_instance_user                => hiera('CONFIG_MANILA_SERVICE_INSTANCE_USER'),
      service_instance_password            => hiera('CONFIG_MANILA_SERVICE_INSTANCE_PASSWORD'),
      service_instance_network_helper_type => $service_instance_network_helper_type,
      service_instance_flavor_id           => 66,
    }
    class { '::manila::compute::nova':
      nova_admin_password    => hiera('CONFIG_NOVA_KS_PW'),
      nova_admin_tenant_name => 'services',
    }
    class { '::manila::volume::cinder':
      cinder_admin_password    => hiera('CONFIG_CINDER_KS_PW'),
      cinder_admin_tenant_name => 'services',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/backend/glusternative.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/backend/glusternative.pp
@@ -0,0 +1,10 @@
 class packstack::manila::backend::glusternative ()
 {
    manila::backend::glusternative{ 'glusternative':
      glusterfs_servers                    => hiera('CONFIG_MANILA_GLUSTERFS_SERVERS'),
      glusterfs_native_path_to_private_key => hiera('CONFIG_MANILA_GLUSTERFS_NATIVE_PATH_TO_PRIVATE_KEY'),
      glusterfs_volume_pattern             => hiera('CONFIG_MANILA_GLUSTERFS_VOLUME_PATTERN'),
    }
    packstack::manila::network{ 'glusternative': }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/backend/glusternfs.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/backend/glusternfs.pp
@@ -0,0 +1,14 @@
 class packstack::manila::backend::glusternfs ()
 {
    manila::backend::glusternfs{ 'glusternfs':
      glusterfs_target              => hiera('CONFIG_MANILA_GLUSTERFS_TARGET'),
      glusterfs_mount_point_base    => hiera('CONFIG_MANILA_GLUSTERFS_MOUNT_POINT_BASE'),
      glusterfs_nfs_server_type     => hiera('CONFIG_MANILA_GLUSTERFS_NFS_SERVER_TYPE'),
      glusterfs_path_to_private_key => hiera('CONFIG_MANILA_GLUSTERFS_PATH_TO_PRIVATE_KEY'),
      glusterfs_ganesha_server_ip   => hiera('CONFIG_MANILA_GLUSTERFS_GANESHA_SERVER_IP'),
    }
    packstack::manila::network{ 'glusternfs': }
    include  '::manila::ganesha'
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/backend/netapp.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/backend/netapp.pp
@@ -0,0 +1,18 @@
 class packstack::manila::backend::netapp ()
 {
    manila::backend::netapp{ 'netapp':
      driver_handles_share_servers         => hiera('CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS'),
      netapp_transport_type                => hiera('CONFIG_MANILA_NETAPP_TRANSPORT_TYPE'),
      netapp_login                         => hiera('CONFIG_MANILA_NETAPP_LOGIN'),
      netapp_password                      => hiera('CONFIG_MANILA_NETAPP_PASSWORD'),
      netapp_server_hostname               => hiera('CONFIG_MANILA_NETAPP_SERVER_HOSTNAME'),
      netapp_storage_family                => hiera('CONFIG_MANILA_NETAPP_STORAGE_FAMILY'),
      netapp_server_port                   => hiera('CONFIG_MANILA_NETAPP_SERVER_PORT'),
      netapp_vserver                       => hiera('CONFIG_MANILA_NETAPP_VSERVER', undef),
      netapp_aggregate_name_search_pattern => hiera('CONFIG_MANILA_NETAPP_AGGREGATE_NAME_SEARCH_PATTERN'),
      netapp_root_volume_aggregate         => hiera('CONFIG_MANILA_NETAPP_ROOT_VOLUME_AGGREGATE', undef),
      netapp_root_volume_name              => hiera('CONFIG_MANILA_NETAPP_ROOT_VOLUME_NAME', undef),
    }
    packstack::manila::network{ 'netapp': }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/network.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/network.pp
@@ -1,17 +1,17 @@
 $manila_network_type = hiera('CONFIG_MANILA_NETWORK_TYPE')
 define packstack::manila::network ($backend_name = $name) {
  $manila_network_type = hiera('CONFIG_MANILA_NETWORK_TYPE')
-  if ($::manila_network_type == 'neutron'){
+  if ($manila_network_type == 'neutron'){
    class { '::manila::network::neutron':
      neutron_admin_password     => hiera('CONFIG_NEUTRON_KS_PW'),
      neutron_admin_tenant_name  => 'services',
    }
  }
-  elsif ($::manila_network_type == 'nova-network'){
+  elsif ($manila_network_type == 'nova-network'){
    manila::network::nova_network{ $backend_name: }
  }
-  elsif ($::manila_network_type == 'standalone'){
+  elsif ($manila_network_type == 'standalone'){
    manila::network::standalone{ $backend_name:
      standalone_network_plugin_gateway           => hiera('CONFIG_MANILA_NETWORK_STANDALONE_GATEWAY'),
      standalone_network_plugin_mask              => hiera('CONFIG_MANILA_NETWORK_STANDALONE_NETMASK'),
@@ -21,6 +21,7 @@ define packstack::manila::network ($backend_name = $name) {
    }
  }
  else {
-    fail("The value ${::manila_network_type} is not a valid value for the Manila network type.")
+    fail("The value ${manila_network_type} is not a valid value for the Manila network type.")
  }
 }
--- a/packstack/puppet/modules/packstack/manifests/manila/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/manila/rabbitmq.pp
@@ -0,0 +1,31 @@
 class packstack::manila::rabbitmq ()
 {
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_MANILA_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_MANILA_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'manila',
        group   => 'manila',
        # manila user on RH/Fedora is provided by python-manila
        require => Package['manila'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'manila-service' |>
    }
    $db_pw = hiera('CONFIG_MANILA_DB_PW')
    $mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
    class { '::manila':
      rabbit_host     => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port     => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl  => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_userid   => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      sql_connection  => "mysql+pymysql://manila:${db_pw}@${mariadb_host}/manila",
      verbose         => true,
      debug           => hiera('CONFIG_DEBUG_MODE'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/mariadb.pp
+++ b/packstack/puppet/modules/packstack/manifests/mariadb.pp
@@ -0,0 +1,69 @@
 class packstack::mariadb ()
 {
  if hiera('CONFIG_MARIADB_INSTALL') == 'y' {
    create_resources(packstack::firewall, hiera('FIREWALL_MARIADB_RULES', {}))
    $max_connections = hiera('CONFIG_SERVICE_WORKERS') * 128
    if ($::mariadb_provides_galera == 'true') {
      # Since mariadb 10.1 galera is included in main mariadb
      $mariadb_package_name = 'mariadb-server-galera'
      $mariadb_present      = 'present'
    } else  {
      # Package mariadb-server conflicts with mariadb-galera-server
      $mariadb_package_name = 'mariadb-galera-server'
      $mariadb_present      = 'absent'
    }
    ensure_packages(['mariadb-server'], {'ensure' => $mariadb_present})
    $bind_address = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    $mysql_root_password = hiera('CONFIG_MARIADB_PW')
    class { '::mysql::server':
      package_name     => $mariadb_package_name,
      restart          => true,
      root_password    => $mysql_root_password,
      require          => Package['mariadb-server'],
      override_options => {
        'mysqld' => {
          'bind_address'           => $bind_address,
          'default_storage_engine' => 'InnoDB',
          'max_connections'        => $max_connections,
          'open_files_limit'       => '-1',
          # galera options
          'wsrep_provider'         => 'none',
          'wsrep_cluster_name'     => 'galera_cluster',
          'wsrep_sst_method'       => 'rsync',
          'wsrep_sst_auth'         => "root:${mysql_root_password}",
        },
      },
    }
    # deleting database users for security
    # this is done in mysql::server::account_security but has problems
    # when there is no fqdn, so we're defining a slightly different one here
    mysql_user { [ 'root@127.0.0.1', 'root@::1', '@localhost', '@%' ]:
      ensure  => 'absent',
      require => Class['mysql::server'],
    }
    if ($::fqdn != '' and $::fqdn != 'localhost') {
      mysql_user { [ "root@${::fqdn}", "@${::fqdn}"]:
        ensure  => 'absent',
        require => Class['mysql::server'],
      }
    }
    if ($::fqdn != $::hostname and $::hostname != 'localhost') {
      mysql_user { ["root@${::hostname}", "@${::hostname}"]:
        ensure  => 'absent',
        require => Class['mysql::server'],
      }
    }
  } else {
        class { '::remote::db': }
  }
 }
--- a/packstack/puppet/modules/packstack/manifests/mariadb/services.pp
+++ b/packstack/puppet/modules/packstack/manifests/mariadb/services.pp
@@ -0,0 +1,106 @@
 class packstack::mariadb::services ()
 {
    class { '::keystone::db::mysql':
      user          => 'keystone_admin',
      password      => hiera('CONFIG_KEYSTONE_DB_PW'),
      allowed_hosts => '%',
      charset       => 'utf8',
    }
    if hiera('CONFIG_CINDER_INSTALL') == 'y' {
         class { '::cinder::db::mysql':
           password      => hiera('CONFIG_CINDER_DB_PW'),
           host          => '%',
           allowed_hosts => '%',
           charset       => 'utf8',
         }
    }
    if hiera('CONFIG_GLANCE_INSTALL') == 'y' {
        class { '::glance::db::mysql':
          password      => hiera('CONFIG_GLANCE_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          charset       => 'utf8',
        }
    }
    if hiera('CONFIG_GNOCCHI_INSTALL') == 'y' and
       hiera('CONFIG_CEILOMETER_INSTALL') == 'y' {
        class { '::gnocchi::db::mysql':
          password      => hiera('CONFIG_GNOCCHI_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
        }
    }
    if hiera('CONFIG_HEAT_INSTALL') == 'y' {
        class { '::heat::db::mysql':
          password      => hiera('CONFIG_HEAT_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          charset       => 'utf8',
       }
    }
    if hiera('CONFIG_IRONIC_INSTALL') == 'y' {
        class { '::ironic::db::mysql':
          password      => hiera('CONFIG_IRONIC_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          charset       => 'utf8',
        }
    }
    if hiera('CONFIG_MANILA_INSTALL') == 'y' {
        class { '::manila::db::mysql':
          password      => hiera('CONFIG_MANILA_DB_PW'),
          allowed_hosts => '%',
          charset       => 'utf8',
        }
    }
    if hiera('CONFIG_NEUTRON_INSTALL') == 'y' {
        class { '::neutron::db::mysql':
          password      => hiera('CONFIG_NEUTRON_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          dbname        => hiera('CONFIG_NEUTRON_L2_DBNAME'),
          charset       => 'utf8',
        }
    }
    if hiera('CONFIG_NOVA_INSTALL') == 'y' {
        class { '::nova::db::mysql':
          password      => hiera('CONFIG_NOVA_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          charset       => 'utf8',
        }
        class { '::nova::db::mysql_api':
          password      => hiera('CONFIG_NOVA_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
          charset       => 'utf8',
        }
    }
    if hiera('CONFIG_SAHARA_INSTALL') == 'y' {
        class { '::sahara::db::mysql':
          password      => hiera('CONFIG_SAHARA_DB_PW'),
          host          => '%',
          allowed_hosts => '%',
        }
    }
    if hiera('CONFIG_TROVE_INSTALL') == 'y' {
        class { '::trove::db::mysql':
            password      => hiera('CONFIG_TROVE_DB_PW'),
            host          => '%',
            allowed_hosts => '%',
            charset       => 'utf8',
        }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/mariadb/services_remote.pp
+++ b/packstack/puppet/modules/packstack/manifests/mariadb/services_remote.pp
@@ -0,0 +1,342 @@
 class packstack::mariadb::services_remote () {
        remote_database { 'keystone':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_keystone_noinstall_db_pw = hiera('CONFIG_KEYSTONE_DB_PW')
        remote_database_user { 'keystone_admin@%':
          password_hash => mysql_password($mariadb_keystone_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['keystone'],
        }
        remote_database_grant { 'keystone_admin@%/keystone':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['keystone_admin@%'],
        }
    if hiera('CONFIG_CINDER_INSTALL') == 'y' {
 	    remote_database { 'cinder':
 	      ensure      => 'present',
 	      charset     => 'utf8',
 	      db_host     => hiera('CONFIG_MARIADB_HOST'),
 	      db_user     => hiera('CONFIG_MARIADB_USER'),
 	      db_password => hiera('CONFIG_MARIADB_PW'),
 	      provider    => 'mysql',
 	    }
 	    $mariadb_cinder_noinstall_db_pw = hiera('CONFIG_CINDER_DB_PW')
 	    remote_database_user { 'cinder@%':
 	      password_hash => mysql_password($mariadb_cinder_noinstall_db_pw),
 	      db_host       => hiera('CONFIG_MARIADB_HOST'),
 	      db_user       => hiera('CONFIG_MARIADB_USER'),
 	      db_password   => hiera('CONFIG_MARIADB_PW'),
 	      provider      => 'mysql',
 	      require       => Remote_database['cinder'],
 	    }
 	    remote_database_grant { 'cinder@%/cinder':
 	      privileges  => 'all',
 	      db_host     => hiera('CONFIG_MARIADB_HOST'),
 	      db_user     => hiera('CONFIG_MARIADB_USER'),
 	      db_password => hiera('CONFIG_MARIADB_PW'),
 	      provider    => 'mysql',
 	      require     => Remote_database_user['cinder@%'],
 	    }
    }
    if hiera('CONFIG_GLANCE_INSTALL') == 'y' {
        remote_database { 'glance':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_glance_noinstall_db_pw = hiera('CONFIG_GLANCE_DB_PW')
        remote_database_user { 'glance@%':
          password_hash => mysql_password($mariadb_glance_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['glance'],
        }
        remote_database_grant { 'glance@%/glance':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['glance@%'],
        }
    }
    if hiera('CONFIG_GNOCCHI_INSTALL') == 'y' and
        remote_database { 'gnocchi':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $gnocchi_cfg_db_pw = hiera('CONFIG_GNOCCHI_DB_PW')
        remote_database_user { 'gnocchi@%':
          password_hash => mysql_password($gnocchi_cfg_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['gnocchi'],
        }
        remote_database_grant { 'gnocchi@%/gnocchi':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['gnocchi@%'],
        }
    }
    if hiera('CONFIG_HEAT_INSTALL') == 'y' {
        remote_database { 'heat':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_heat_noinstall_db_pw = hiera('CONFIG_HEAT_DB_PW')
        remote_database_user { 'heat@%':
          password_hash => mysql_password($mariadb_heat_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['heat'],
        }
        remote_database_grant { 'heat@%/heat':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['heat@%'],
        }
    }
    if hiera('CONFIG_IRONIC_INSTALL') == 'y' {
        remote_database { 'ironic':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_ironic_noinstall_db_pw = hiera('CONFIG_IRONIC_DB_PW')
        remote_database_user { 'ironic@%':
          password_hash => mysql_password($mariadb_ironic_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['ironic'],
        }
        remote_database_grant { 'ironic@%/ironic':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['ironic@%'],
        }
    }
    if hiera('CONFIG_MANILA_INSTALL') == 'y' {
        remote_database { 'manila':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_manila_noinstall_db_pw = hiera('CONFIG_MANILA_DB_PW')
        remote_database_user { 'manila@%':
          password_hash => mysql_password($mariadb_manila_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['manila'],
        }
        remote_database_grant { 'manila@%/manila':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['manila@%'],
        }
    }
    if hiera('CONFIG_NEUTRON_INSTALL') == 'y' {
        $mariadb_neutron_noinstall_db_pw     = hiera('CONFIG_NEUTRON_DB_PW')
        $mariadb_neutron_noinstall_l2_dbname = hiera('CONFIG_NEUTRON_L2_DBNAME')
        remote_database { $mariadb_neutron_noinstall_l2_dbname:
          ensure      => present,
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        remote_database_user { 'neutron@%':
          password_hash => mysql_password($mariadb_neutron_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database[$mariadb_neutron_noinstall_l2_dbname],
        }
        remote_database_grant { "neutron@%/${mariadb_neutron_noinstall_l2_dbname}":
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['neutron@%'],
        }
    }
    if hiera('CONFIG_NOVA_INSTALL') == 'y' {
        remote_database { 'nova':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $mariadb_nova_noinstall_db_pw = hiera('CONFIG_NOVA_DB_PW')
        remote_database_user { 'nova@%':
          password_hash => mysql_password($mariadb_nova_noinstall_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['nova'],
        }
        remote_database_grant { 'nova@%/nova':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['nova@%'],
        }
    }
    if hiera('CONFIG_SAHARA_INSTALL') == 'y' {
        remote_database { 'sahara':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $sahara_cfg_sahara_db_pw = hiera('CONFIG_SAHARA_DB_PW')
        remote_database_user { 'sahara@%':
          password_hash => mysql_password($sahara_cfg_sahara_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['sahara'],
        }
        remote_database_grant { 'sahara@%/sahara':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['sahara@%'],
        }
    }
    if hiera('CONFIG_TROVE_INSTALL') == 'y' {
        remote_database { 'trove':
          ensure      => 'present',
          charset     => 'utf8',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
        }
        $trove_cfg_trove_db_pw = hiera('CONFIG_TROVE_DB_PW')
        remote_database_user { 'trove@%':
          password_hash => mysql_password($trove_cfg_trove_db_pw),
          db_host       => hiera('CONFIG_MARIADB_HOST'),
          db_user       => hiera('CONFIG_MARIADB_USER'),
          db_password   => hiera('CONFIG_MARIADB_PW'),
          provider      => 'mysql',
          require       => Remote_database['trove'],
        }
        remote_database_grant { 'trove@%/trove':
          privileges  => 'all',
          db_host     => hiera('CONFIG_MARIADB_HOST'),
          db_user     => hiera('CONFIG_MARIADB_USER'),
          db_password => hiera('CONFIG_MARIADB_PW'),
          provider    => 'mysql',
          require     => Remote_database_user['trove@%'],
        }
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/memcached.pp
+++ b/packstack/puppet/modules/packstack/manifests/memcached.pp
@@ -0,0 +1,15 @@
 class packstack::memcached ()
 {
    # hack for memcached, for now we bind to localhost on ipv6
    # https://bugzilla.redhat.com/show_bug.cgi?id=1210658
    $memcached_bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => 'localhost6',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    class { '::memcached':
      listen_ip  => $memcached_bind_host,
      max_memory => '10%',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/mongodb.pp
+++ b/packstack/puppet/modules/packstack/manifests/mongodb.pp
@@ -0,0 +1,26 @@
 class packstack::mongodb ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_MONGODB_RULES', {}))
    $mongodb_host = hiera('CONFIG_MONGODB_HOST')
    # The MongoDB config files differ between versions
    if (($::operatingsystem == 'fedora' and versioncmp($::operatingsystemrelease, '22') >= 0)
        or
        ($::operatingsystem != 'fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
       ){
      $config_file = '/etc/mongod.conf'
    } else {
      $config_file = '/etc/mongodb.conf'
    }
    class { '::mongodb::server':
      ipv6       => hiera('CONFIG_IP_VERSION') ? {
        'ipv6'  => true,
        default => false,
        # TO-DO(mmagr): Add IPv6 support when hostnames are used
      },
      smallfiles => true,
      bind_ip    => force_ip($mongodb_host),
      config     => $config_file,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/nagios/nrpe.pp
+++ b/packstack/puppet/modules/packstack/manifests/nagios/nrpe.pp
@@ -0,0 +1,40 @@
 class packstack::nagios::nrpe ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_NAGIOS_NRPE_RULES', {}))
    $nagios_configs_cfg_ctrl_host = hiera('CONFIG_CONTROLLER_HOST')
    package{ 'nrpe':
      ensure => present,
    } ->
    file{ '/etc/nagios/nrpe.cfg':
      ensure  => file,
      mode    => '0644',
      owner   => 'nagios',
      group   => 'nagios',
      require => Package['nrpe'],
    } ->
    file_line{'allowed_hosts':
      path  => '/etc/nagios/nrpe.cfg',
      match => 'allowed_hosts=',
      line  => "allowed_hosts=${nagios_configs_cfg_ctrl_host}",
    } ->
    # 5 minute load average
    file_line{'load5':
      path  => '/etc/nagios/nrpe.cfg',
      match => 'command\[load5\]=',
      line  => 'command[load5]=cut /proc/loadavg -f 1 -d " "',
    } ->
    # disk used on /var
    file_line{'df_var':
      path  => '/etc/nagios/nrpe.cfg',
      match => "command\[df_var\]=",
      line  => "command[df_var]=df /var/ | sed -re 's/.* ([0-9]+)%.*/\\1/' | grep -E '^[0-9]'",
    } ->
    service{'nrpe':
      ensure    => running,
      enable    => true,
      hasstatus => true,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/nagios/server.pp
+++ b/packstack/puppet/modules/packstack/manifests/nagios/server.pp
@@ -0,0 +1,80 @@
 class packstack::nagios::server ()
 {
    $nagios_cfg_ks_adm_pw = hiera('CONFIG_KEYSTONE_ADMIN_PW')
    $nagios_cfg_keystone_url = hiera('CONFIG_KEYSTONE_ADMIN_URL')
    $keystone_admin_username = hiera('CONFIG_KEYSTONE_ADMIN_USERNAME')
    package { ['nagios', 'nagios-plugins-nrpe']:
      ensure => present,
    } ->
    class { 'packstack::nagios_config_wrapper':
      nagios_hosts              => hiera('CONFIG_NAGIOS_NODES'),
      nagios_openstack_services => hiera('CONFIG_NAGIOS_SERVICES'),
      controller_host           => hiera('CONFIG_CONTROLLER_HOST'),
      require                   => Package['nagios'],
      notify                    => [Service['nagios'], Service['httpd']],
    } ->
    # We need to preferably install nagios-plugins-ping
    exec { 'nagios-plugins-ping':
      path    => '/usr/bin',
      command => 'yum install -y -d 0 -e 0 monitoring-plugins-ping',
      onlyif  => 'yum install -y -d 0 -e 0 nagios-plugins-ping &> /dev/null && exit 1 || exit 0',
    } ->
    file { ['/etc/nagios/nagios_command.cfg', '/etc/nagios/nagios_host.cfg', '/etc/nagios/nagios_service.cfg']:
      ensure => file,
      mode   => '0644',
      owner  => 'nagios',
      group  => 'nagios',
    } ->
    # Remove the entry for localhost, it contains services we're not
    # monitoring
    file { ['/etc/nagios/objects/localhost.cfg']:
      ensure  => file,
      content => '',
    } ->
    file_line { 'nagios_host':
      path => '/etc/nagios/nagios.cfg',
      line => 'cfg_file=/etc/nagios/nagios_host.cfg',
    } ->
    file_line { 'nagios_command':
      path => '/etc/nagios/nagios.cfg',
      line => 'cfg_file=/etc/nagios/nagios_command.cfg',
    } ->
    file_line { 'nagios_service':
      path => '/etc/nagios/nagios.cfg',
      line => 'cfg_file=/etc/nagios/nagios_service.cfg',
    } ->
    file { '/etc/nagios/keystonerc_admin':
      ensure  => file,
      owner   => 'nagios',
      mode    => '0600',
      content => "export OS_USERNAME=${keystone_admin_username}
 export OS_TENANT_NAME=admin
 export OS_PASSWORD=${nagios_cfg_ks_adm_pw}
 export OS_AUTH_URL=${nagios_cfg_keystone_url}",
    }
    $cfg_nagios_pw = hiera('CONFIG_NAGIOS_PW')
    exec { 'nagiospasswd':
      command => "/usr/bin/htpasswd -b /etc/nagios/passwd nagiosadmin ${cfg_nagios_pw}",
      require => Package['nagios'],
      before  => Service['nagios'],
    }
    class { '::apache::mod::php': }
    service { ['nagios']:
      ensure    => running,
      enable    => true,
      hasstatus => true,
    }
    firewall { '001 nagios incoming':
      proto  => 'tcp',
      dport  => ['80'],
      action => 'accept',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron.pp
@@ -0,0 +1,9 @@
 class packstack::neutron ()
 {
    $neutron_db_host         = hiera('CONFIG_MARIADB_HOST_URL')
    $neutron_db_name         = hiera('CONFIG_NEUTRON_L2_DBNAME')
    $neutron_db_user         = 'neutron'
    $neutron_db_password     = hiera('CONFIG_NEUTRON_DB_PW')
    $neutron_sql_connection  = "mysql+pymysql://${neutron_db_user}:${neutron_db_password}@${neutron_db_host}/${neutron_db_name}"
    $neutron_user_password   = hiera('CONFIG_NEUTRON_KS_PW')
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/api.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/api.pp
@@ -0,0 +1,53 @@
 class packstack::neutron::api ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_NEUTRON_SERVER_RULES', {}))
    $neutron_db_host         = hiera('CONFIG_MARIADB_HOST_URL')
    $neutron_db_name         = hiera('CONFIG_NEUTRON_L2_DBNAME')
    $neutron_db_user         = 'neutron'
    $neutron_db_password     = hiera('CONFIG_NEUTRON_DB_PW')
    $neutron_sql_connection  = "mysql+pymysql://${neutron_db_user}:${neutron_db_password}@${neutron_db_host}/${neutron_db_name}"
    $neutron_user_password   = hiera('CONFIG_NEUTRON_KS_PW')
    class { '::neutron::server':
      database_connection => $neutron_sql_connection,
      auth_password       => $neutron_user_password,
      auth_uri            => hiera('CONFIG_KEYSTONE_PUBLIC_URL'),
      identity_uri        => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      sync_db             => true,
      enabled             => true,
      api_workers         => hiera('CONFIG_SERVICE_WORKERS'),
      rpc_workers         => hiera('CONFIG_SERVICE_WORKERS'),
      service_providers   => hiera_array('SERVICE_PROVIDERS'),
    }
    # TODO: FIXME: remove this hack after upstream resolves https://bugs.launchpad.net/puppet-neutron/+bug/1474961
    if hiera('CONFIG_NEUTRON_VPNAAS') == 'y' {
      ensure_resource( 'package', 'neutron-vpnaas-agent', {
        name   => 'openstack-neutron-vpnaas',
        tag    => ['openstack', 'neutron-package'],
      })
      Package['neutron-vpnaas-agent'] ~> Service<| tag == 'neutron-service' |>
    }
    if hiera('CONFIG_NEUTRON_FWAAS') == 'y' {
        ensure_resource( 'package', 'neutron-fwaas', {
          'name'   => 'openstack-neutron-fwaas',
          'tag'    => 'openstack'
        })
      Package['neutron-fwaas'] ~> Service<| tag == 'neutron-service' |>
    }
    if hiera('CONFIG_LBAAS_INSTALL') == 'y' {
      ensure_resource( 'package', 'neutron-lbaas-agent', {
        name   => 'openstack-neutron-lbaas',
        tag    => ['openstack', 'neutron-package'],
      })
      Package['neutron-lbaas-agent'] ~> Service<| tag == 'neutron-service' |>
    }
    file { '/etc/neutron/api-paste.ini':
      ensure  => file,
      mode    => '0640',
    }
    Class['::neutron::server'] -> File['/etc/neutron/api-paste.ini']
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/dhcp.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/dhcp.pp
@@ -0,0 +1,10 @@
 class packstack::neutron::dhcp ()
 {
    create_resources(packstack::firewall, hiera('FIREWALL_NEUTRON_DHCPIN_RULES', {}))
    create_resources(packstack::firewall, hiera('FIREWALL_NEUTRON_DHCPOUT_RULES', {}))
    class { '::neutron::agents::dhcp':
      interface_driver    => hiera('CONFIG_NEUTRON_DHCP_INTERFACE_DRIVER'),
      debug               => hiera('CONFIG_DEBUG_MODE'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/fwaas.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/fwaas.pp
@@ -0,0 +1,7 @@
 class packstack::neutron::fwaas ()
 {
    class { '::neutron::services::fwaas':
      enabled => true,
      driver  => 'neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/l3.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/l3.pp
@@ -0,0 +1,23 @@
 class packstack::neutron::l3 ()
 {
    $start_l3_agent = hiera('CONFIG_NEUTRON_VPNAAS') ? {
        'y'     => false,
        default => true
    }
    class { '::neutron::agents::l3':
      interface_driver        => hiera('CONFIG_NEUTRON_L3_INTERFACE_DRIVER'),
      external_network_bridge => hiera('CONFIG_NEUTRON_L3_EXT_BRIDGE'),
      manage_service          => $start_l3_agent,
      enabled                 => $start_l3_agent,
      debug                   => hiera('CONFIG_DEBUG_MODE'),
    }
    if defined(Class['neutron::services::fwaas']) {
      Class['neutron::services::fwaas'] -> Class['neutron::agents::l3']
    }
    sysctl::value { 'net.ipv4.ip_forward':
      value => '1',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/lb_agent.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/lb_agent.pp
@@ -0,0 +1,14 @@
 class packstack::neutron::lb_agent ()
 {
    $neutron_lb_interface_mappings = hiera_array('CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS')
    $use_subnets_value = hiera('CONFIG_USE_SUBNETS')
    $use_subnets = $use_subnets_value ? {
      'y'     => true,
      default => false,
    }
    class { '::neutron::agents::ml2::linuxbridge':
      physical_interface_mappings => force_interface($neutron_lb_interface_mappings, $use_subnets),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/lbaas.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/lbaas.pp
@@ -0,0 +1,13 @@
 class packstack::neutron::lbaas ()
 {
    class { '::neutron::agents::lbaas':
      interface_driver => hiera('CONFIG_NEUTRON_LBAAS_INTERFACE_DRIVER'),
      device_driver    => 'neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver',
      user_group       => 'haproxy',
      debug            => hiera('CONFIG_DEBUG_MODE'),
    }
    class {'::neutron::services::lbaas':
      service_providers => 'LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default',
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/metadata.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/metadata.pp
@@ -0,0 +1,9 @@
 class packstack::neutron::metadata ()
 {
    class { '::neutron::agents::metadata':
      shared_secret    => hiera('CONFIG_NEUTRON_METADATA_PW'),
      metadata_ip      => force_ip(hiera('CONFIG_KEYSTONE_HOST_URL')),
      debug            => hiera('CONFIG_DEBUG_MODE'),
      metadata_workers => hiera('CONFIG_SERVICE_WORKERS'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/metering.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/metering.pp
@@ -0,0 +1,7 @@
 class packstack::neutron::metering ()
 {
    class { '::neutron::agents::metering':
      interface_driver => hiera('CONFIG_NEUTRON_METERING_IFCE_DRIVER'),
      debug            => hiera('CONFIG_DEBUG_MODE'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/ml2.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/ml2.pp
@@ -0,0 +1,31 @@
 class packstack::neutron::ml2 ()
 {
    if hiera('CONFIG_NEUTRON_ML2_VXLAN_GROUP') == '' {
      $vxlan_group_value = undef
    } else {
      $vxlan_group_value = hiera('CONFIG_NEUTRON_ML2_VXLAN_GROUP')
    }
    class { '::neutron::plugins::ml2':
      type_drivers              => hiera_array('CONFIG_NEUTRON_ML2_TYPE_DRIVERS'),
      tenant_network_types      => hiera_array('CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES'),
      mechanism_drivers         => hiera_array('CONFIG_NEUTRON_ML2_MECHANISM_DRIVERS'),
      flat_networks             => hiera_array('CONFIG_NEUTRON_ML2_FLAT_NETWORKS'),
      network_vlan_ranges       => hiera_array('CONFIG_NEUTRON_ML2_VLAN_RANGES'),
      tunnel_id_ranges          => hiera_array('CONFIG_NEUTRON_ML2_TUNNEL_ID_RANGES'),
      vxlan_group               => $vxlan_group_value,
      vni_ranges                => hiera_array('CONFIG_NEUTRON_ML2_VNI_RANGES'),
      enable_security_group     => true,
      firewall_driver           => hiera('FIREWALL_DRIVER'),
      supported_pci_vendor_devs => hiera_array('CONFIG_NEUTRON_ML2_SUPPORTED_PCI_VENDOR_DEVS'),
      sriov_agent_required      => hiera('CONFIG_NEUTRON_ML2_SRIOV_AGENT_REQUIRED'),
    }
    # For cases where "neutron-db-manage upgrade" command is called
    # we need to fill config file first
    if defined(Exec['neutron-db-manage upgrade']) {
      Neutron_plugin_ml2<||> ->
      File['/etc/neutron/plugin.ini'] ->
      Exec['neutron-db-manage upgrade']
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/notifications.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/notifications.pp
@@ -0,0 +1,14 @@
 class packstack::neutron::notifications ()
 {
    $neutron_notif_cfg_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
    # Configure nova notifications system
    class { '::neutron::server::notifications':
      username    => 'nova',
      password    => hiera('CONFIG_NOVA_KS_PW'),
      tenant_name => 'services',
      nova_url    => "http://${neutron_notif_cfg_ctrl_host}:8774/v2",
      auth_url    => hiera('CONFIG_KEYSTONE_ADMIN_URL'),
      region_name => hiera('CONFIG_KEYSTONE_REGION'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/ovs_agent.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/ovs_agent.pp
@@ -0,0 +1,55 @@
 class packstack::neutron::ovs_agent ()
 {
    $my_ip = choose_my_ip(hiera('HOST_LIST'))
    $neutron_tunnel_rule_name = "FIREWALL_NEUTRON_TUNNEL_RULES_${my_ip}"
    create_resources(packstack::firewall, hiera($neutron_tunnel_rule_name, {}))
    $neutron_ovs_tunnel_if = hiera('CONFIG_NEUTRON_OVS_TUNNEL_IF', undef)
    $use_subnets_value = hiera('CONFIG_USE_SUBNETS')
    $use_subnets = $use_subnets_value ? {
      'y'     => true,
      default => false,
    }
    if $neutron_ovs_tunnel_if {
      $ovs_agent_vxlan_cfg_neut_ovs_tun_if = force_interface($neutron_ovs_tunnel_if, $use_subnets)
    } else {
      $ovs_agent_vxlan_cfg_neut_ovs_tun_if = undef
    }
    if $ovs_agent_vxlan_cfg_neut_ovs_tun_if != '' {
      $iface = regsubst($ovs_agent_vxlan_cfg_neut_ovs_tun_if, '[\.\-\:]', '_', 'G')
      $localip = inline_template("<%= scope.lookupvar('::ipaddress_${iface}') %>")
    } else {
      $localip = choose_my_ip(hiera('HOST_LIST'))
    }
    $network_hosts =  split(hiera('CONFIG_NETWORK_HOSTS'),',')
    if member($network_hosts, choose_my_ip(hiera('HOST_LIST'))) {
      $bridge_ifaces_param = 'CONFIG_NEUTRON_OVS_BRIDGE_IFACES'
      $bridge_mappings_param = 'CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS'
    } else {
      $bridge_ifaces_param = 'CONFIG_NEUTRON_OVS_BRIDGE_IFACES_COMPUTE'
      $bridge_mappings_param = 'CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS_COMPUTE'
    }
    if hiera('CREATE_BRIDGES') == 'y' {
      $bridge_uplinks  = hiera_array($bridge_ifaces_param)
      $bridge_mappings = hiera_array($bridge_mappings_param)
    } else {
      $bridge_uplinks  = []
      $bridge_mappings = []
    }
    class { '::neutron::agents::ml2::ovs':
      bridge_uplinks   => $bridge_uplinks,
      bridge_mappings  => $bridge_mappings,
      enable_tunneling => hiera('CONFIG_NEUTRON_OVS_TUNNELING'),
      tunnel_types     => hiera_array('CONFIG_NEUTRON_OVS_TUNNEL_TYPES'),
      local_ip         => force_ip($localip),
      vxlan_udp_port   => hiera('CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT',undef),
      l2_population    => hiera('CONFIG_NEUTRON_USE_L2POPULATION'),
      firewall_driver  => hiera('FIREWALL_DRIVER'),
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/ovs_bridge.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/ovs_bridge.pp
@@ -0,0 +1,11 @@
 class packstack::neutron::ovs_bridge ()
 {
  $agent_service = 'neutron-ovs-agent-service'
  $config_neutron_ovs_bridge = hiera('CONFIG_NEUTRON_OVS_BRIDGE')
  vs_bridge { $config_neutron_ovs_bridge:
    ensure  => present,
    require => Service[$agent_service],
  }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/rabbitmq.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/rabbitmq.pp
@@ -0,0 +1,40 @@
 class packstack::neutron::rabbitmq ()
 {
    $bind_host = hiera('CONFIG_IP_VERSION') ? {
      'ipv6'  => '::0',
      default => '0.0.0.0',
      # TO-DO(mmagr): Add IPv6 support when hostnames are used
    }
    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
    $kombu_ssl_keyfile = hiera('CONFIG_NEUTRON_SSL_KEY', undef)
    $kombu_ssl_certfile = hiera('CONFIG_NEUTRON_SSL_CERT', undef)
    if $kombu_ssl_keyfile {
      $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
      file { $files_to_set_owner:
        owner   => 'neutron',
        group   => 'neutron',
        require => Package['openstack-neutron'],
      }
      File[$files_to_set_owner] ~> Service<| tag == 'neutron-service' |>
    }
    class { '::neutron':
      bind_host             => $bind_host,
      rabbit_host           => hiera('CONFIG_AMQP_HOST_URL'),
      rabbit_port           => hiera('CONFIG_AMQP_CLIENTS_PORT'),
      rabbit_use_ssl        => hiera('CONFIG_AMQP_SSL_ENABLED'),
      rabbit_user           => hiera('CONFIG_AMQP_AUTH_USER'),
      rabbit_password       => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
      core_plugin           => hiera('CONFIG_NEUTRON_CORE_PLUGIN'),
      allow_overlapping_ips => true,
      service_plugins       => hiera_array('SERVICE_PLUGINS'),
      verbose               => true,
      debug                 => hiera('CONFIG_DEBUG_MODE'),
      kombu_ssl_ca_certs  => $kombu_ssl_ca_certs,
      kombu_ssl_keyfile   => $kombu_ssl_keyfile,
      kombu_ssl_certfile  => $kombu_ssl_certfile,
    }
 }
--- a/packstack/puppet/modules/packstack/manifests/neutron/sriov.pp
+++ b/packstack/puppet/modules/packstack/manifests/neutron/sriov.pp
@@ -0,0 +1,6 @@
 class packstack::neutron::sriov ()
 {
    class { 'neutron::agents::ml2::sriov' :
      physical_device_mappings   => hiera_array('CONFIG_NEUTRON_ML2_SRIOV_INTERFACE_MAPPINGS'),
    }
 }
--- a/Show More
+++ b/Show More