Install via puppet

Migrate as much as we're initially able to over to be installed via Puppet
instead of elements from tripleo-image-elements. This change is rather large,
but it's all more or less inter-dependent so I wasn't able to break it up any
finer.

The bulk of the change is a new element, puppet-stack-config. That element
installs a puppet manifest at /etc/puppet/manifests/puppet-stack-config.pp that
is applied via puppet during the os-refresh-config phase of the installation.
When the manifest is applied, it uses a hiera data file from
/etc/puppet/hieradata/puppet-stack-config.yaml as input. That file is generated
from a template.

The Puppet modules require a handful of additional inputs for password and
secret items. These inputs are added to the instack.answers.sample file and
instack-install-undercloud.

We're able to remove many items from the static json we're writing out to
/var/lib/heat-cfntools/cfn-init-data, but we still need this for some
configuration as not everything is driven via a Puppet module (os-net-config)
for instance.

Also kemoves some particular hooks scripts that are no longer needed in
instack-undercloud.

This fix-undercloud-package-installs element is no longer needed. It's
addressing bugs that have already been fixed.

Change-Id: I9b93569f193c58d3e98063a1a90c3946a3a886db

elements/fix-undercloud-package-installs/pre-install.d/10-fix-undercloud-package-installs

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -eux
-set -o pipefail
-
-if rpm -q fedora-release; then
-    if ! rpm -q openstack-ironic; then
-        yum -y install openstack-ironic-common
-    fi
-
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1154720
-    chmod 0440 /etc/sudoers.d/ironic
-
-    # Make sure python-netaddr is the latest version from RDO juno,
-    # otherwise pip from ironic-discoverd will install a later version,
-    # then the rpm update later will fail.
-    yum -y update python-netaddr
-fi

elements/ironic-discoverd/os-apply-config/etc/ironic-discoverd/discoverd.conf

@@ -1,6 +1,6 @@
 [discoverd]
 debug = false
-os_auth_url = http://{{keystone.host}}:5000/v2.0
+os_auth_url = http://{{local-ip}}:5000/v2.0
 os_username = ironic
 os_password = {{ironic.service-password}}
 os_tenant_name = service

elements/ironic-discoverd/os-apply-config/tftpboot/pxelinux.cfg/default

@@ -2,6 +2,6 @@ default discover
 
 label discover
 kernel discovery.kernel
-append initrd=discovery.ramdisk discoverd_callback_url=http://{{local-ipv4}}:5050/v1/continue
+append initrd=discovery.ramdisk discoverd_callback_url=http://{{local-ip}}:5050/v1/continue
 ipappend 3
 

elements/puppet-stack-config/README.rst

@@ -0,0 +1,9 @@
+puppet-stack-config
+-------------------
+
+puppet-stack-config provides static puppet configuration for a single node
+baremetal cloud using the Ironic driver. A yaml template is used to render a
+hiera data file at /etc/puppet/hieradata/puppet-stack-config.yaml.
+
+The template rendering takes its input from a set of defined environment
+variables.

elements/puppet-stack-config/element-deps

@@ -0,0 +1,2 @@
+hiera
+puppet-modules

elements/puppet-stack-config/extra-data.d/10-install-git

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -eux
+
+yum -y install git

elements/puppet-stack-config/install.d/02-puppet-stack-config

@@ -0,0 +1,72 @@
+#!/usr/bin/python
+# Copyright 2015 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import os
+import shutil
+import subprocess
+import tempfile
+
+import pystache
+
+renderer = pystache.Renderer()
+template = os.path.join(os.path.dirname(__file__),
+                        '..',
+                        'puppet-stack-config.yaml.template')
+
+keystone_pki_dir = tempfile.mkdtemp()
+subprocess.check_call(['generate-keystone-pki', '-d', keystone_pki_dir])
+
+context = {
+    'LOCAL_IP': os.environ.get('LOCAL_IP', '192.0.2.1'),
+    'UNDERCLOUD_ADMIN_TOKEN': os.environ.get('UNDERCLOUD_ADMIN_TOKEN', 'unset'),
+    'UNDERCLOUD_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_ADMIN_PASSWORD', 'unset'),
+    'UNDERCLOUD_RABBIT_USERNAME': os.environ.get('UNDERCLOUD_RABBIT_USERNAME', 'guest'),
+    'UNDERCLOUD_RABBIT_PASSWORD': os.environ.get('UNDERCLOUD_RABBIT_PASSWORD', 'guest'),
+    'UNDERCLOUD_RABBIT_COOKIE': os.environ.get('UNDERCLOUD_RABBIT_COOKIE', 'guest'),
+    'UNDERCLOUD_SWIFT_HASH_SUFFIX': os.environ.get('UNDERCLOUD_SWIFT_HASH_SUFFIX', 'unset'),
+    'UNDERCLOUD_SWIFT_PASSWORD': os.environ.get('UNDERCLOUD_SWIFT_PASSWORD', 'unset'),
+    'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
+    'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
+    'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),
+    'UNDERCLOUD_NEUTRON_PASSWORD': os.environ.get('UNDERCLOUD_NEUTRON_PASSWORD', 'unset'),
+    'LOCAL_INTERFACE': os.environ.get('LOCAL_INTERFACE', 'eth1'),
+    'UNDERCLOUD_CEILOMETER_METERING_SECRET': os.environ.get('UNDERCLOUD_CEILOMETER_METERING_SECRET', 'unset'),
+    'UNDERCLOUD_CEILOMETER_PASSWORD': os.environ.get('UNDERCLOUD_CEILOMETER_PASSWORD', 'unset'),
+    'UNDERCLOUD_CEILOMETER_SNMPD_USER': os.environ.get('UNDERCLOUD_CEILOMETER_SNMPD_USER', 'unset'),
+    'UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD': os.environ.get('UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD', 'unset'),
+    'UNDERCLOUD_NOVA_PASSWORD': os.environ.get('UNDERCLOUD_NOVA_PASSWORD', 'unset'),
+    'UNDERCLOUD_IRONIC_PASSWORD': os.environ.get('UNDERCLOUD_IRONIC_PASSWORD', 'unset'),
+    'UNDERCLOUD_TUSKAR_PASSWORD': os.environ.get('UNDERCLOUD_TUSKAR_PASSWORD', 'unset'),
+
+    'KEYSTONE_SIGNING_CERTIFICATE':
+        open(os.path.join(keystone_pki_dir, 'signing_cert.pem')).read(),
+    'KEYSTONE_SIGNING_KEY':
+        open(os.path.join(keystone_pki_dir, 'signing_key.pem')).read(),
+    'KEYSTONE_CA_CERTIFICATE':
+        open(os.path.join(keystone_pki_dir, 'ca_cert.pem')).read(),
+    'KEYSTONE_CA_KEY':
+        open(os.path.join(keystone_pki_dir, 'ca_key.pem')).read(),
+}
+
+with open(template) as f:
+    puppet_stack_config_yaml = renderer.render(f.read(), context)
+
+puppet_stack_config_yaml_path = '/etc/puppet/hieradata/puppet-stack-config.yaml'
+
+if not os.path.exists(os.path.dirname(puppet_stack_config_yaml_path)):
+    os.makedirs(os.path.dirname(puppet_stack_config_yaml_path))
+with open(puppet_stack_config_yaml_path, 'w') as f:
+    f.write(puppet_stack_config_yaml)

elements/puppet-stack-config/install.d/10-puppet-stack-config-puppet-module

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+mkdir -p /etc/puppet/manifests
+cp $(dirname $0)/../puppet-stack-config.pp /etc/puppet/manifests/puppet-stack-config.pp

elements/puppet-stack-config/install.d/20-ironic-user

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -eux
+
+# Ironic conductor requires that we run install.d/69-ironic-tftp-support
+# from the tripleo-image-element ironic-conductor element. This is actually
+# a big gap in functionaliity for the ironic puppet module. Since we still have
+# to include the ironic-conductor element here, but the package is not yet
+# installed, we must pre-create the ironic user
+if ! id ironic; then
+    useradd ironic
+fi

elements/puppet-stack-config/os-refresh-config/configure.d/50-puppet-stack-config

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+set +e
+puppet apply --detailed-exitcodes /etc/puppet/manifests/puppet-stack-config.pp
+rc=$?
+set -e
+
+echo "puppet apply exited with exit code $rc"
+
+if [ $rc != 2 -a $rc != 0 ]; then
+    exit $rc
+fi

elements/puppet-stack-config/os-refresh-config/post-configure.d/10-tftp-iptables

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 8773,8774,8775 -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
+add-rule INPUT -p tcp --dport 8585 -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 6080 -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
+add-rule INPUT -p tcp --dport 9292 -j ACCEPT
+add-rule INPUT -p tcp --dport 9191 -j ACCEPT
+add-rule INPUT -p tcp --dport 6385 -j ACCEPT
+add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
+add-rule FORWARD -d 192.168.122.0/24 -j ACCEPT
+add-rule INPUT -p tcp --dport $(os-apply-config --key 'horizon.port' --type int --key-default 80) -j ACCEPT
+add-rule INPUT -p tcp --dport 5672  -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT
+add-rule INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
+
+
+EXTERNAL_BRIDGE=br-ctlplane
+iptables -t nat -C PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775 || iptables -t nat -I PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
+

elements/puppet-stack-config/package-installs.yaml

@@ -0,0 +1,3 @@
+os-cloud-config:
+pystache:
+python-oslo-concurrency:

elements/puppet-stack-config/puppet-stack-config.pp

@@ -0,0 +1,301 @@
+# Copyright 2015 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+if count(hiera('ntp::servers')) > 0 {
+  include ::ntp
+}
+
+# TODO Galara
+class { 'mysql::server':
+  override_options => {
+    'mysqld' => {
+      'bind-address' => hiera('controller_host')
+    }
+  }
+}
+
+# FIXME: this should only occur on the bootstrap host (ditto for db syncs)
+# Create all the database schemas
+# Example DSN format: mysql://user:password@host/dbname
+$allowed_hosts = ['%',hiera('controller_host')]
+$keystone_dsn = split(hiera('keystone::database_connection'), '[@:/?]')
+class { 'keystone::db::mysql':
+  user          => $keystone_dsn[3],
+  password      => $keystone_dsn[4],
+  host          => $keystone_dsn[5],
+  dbname        => $keystone_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$glance_dsn = split(hiera('glance::api::database_connection'), '[@:/?]')
+class { 'glance::db::mysql':
+  user          => $glance_dsn[3],
+  password      => $glance_dsn[4],
+  host          => $glance_dsn[5],
+  dbname        => $glance_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$nova_dsn = split(hiera('nova::database_connection'), '[@:/?]')
+class { 'nova::db::mysql':
+  user          => $nova_dsn[3],
+  password      => $nova_dsn[4],
+  host          => $nova_dsn[5],
+  dbname        => $nova_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$neutron_dsn = split(hiera('neutron::server::database_connection'), '[@:/?]')
+class { 'neutron::db::mysql':
+  user          => $neutron_dsn[3],
+  password      => $neutron_dsn[4],
+  host          => $neutron_dsn[5],
+  dbname        => $neutron_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$heat_dsn = split(hiera('heat_dsn'), '[@:/?]')
+class { 'heat::db::mysql':
+  user          => $heat_dsn[3],
+  password      => $heat_dsn[4],
+  host          => $heat_dsn[5],
+  dbname        => $heat_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$ceilometer_dsn = split(hiera('ceilometer::db::database_connection'), '[@:/?]')
+class { 'ceilometer::db::mysql':
+  user          => $ceilometer_dsn[3],
+  password      => $ceilometer_dsn[4],
+  host          => $ceilometer_dsn[5],
+  dbname        => $ceilometer_dsn[6],
+  allowed_hosts => $allowed_hosts,
+}
+$ironic_dsn = split(hiera('ironic::database_connection'), '[@:/?]')
+class { 'ironic::db::mysql':
+user          => $ironic_dsn[3],
+password      => $ironic_dsn[4],
+host          => $ironic_dsn[5],
+dbname        => $ironic_dsn[6],
+allowed_hosts => $allowed_hosts,
+}
+
+if $::osfamily == 'RedHat' {
+  $rabbit_provider = 'yum'
+} else {
+  $rabbit_provider = undef
+}
+
+Class['rabbitmq'] -> Rabbitmq_vhost <| |>
+Class['rabbitmq'] -> Rabbitmq_user <| |>
+Class['rabbitmq'] -> Rabbitmq_user_permissions <| |>
+
+# TODO Rabbit HA
+class { 'rabbitmq':
+  package_provider  => $rabbit_provider,
+  config_cluster    => false,
+  node_ip_address   => hiera('controller_host'),
+}
+
+rabbitmq_vhost { '/':
+  provider => 'rabbitmqctl',
+}
+rabbitmq_user { ['nova','glance','neutron','ceilometer','heat']:
+  admin    => true,
+  password => hiera('rabbit_password'),
+  provider => 'rabbitmqctl',
+}
+
+rabbitmq_user_permissions {[
+  'nova@/',
+  'glance@/',
+  'neutron@/',
+  'ceilometer@/',
+  'heat@/',
+]:
+  configure_permission => '.*',
+  write_permission     => '.*',
+  read_permission      => '.*',
+  provider             => 'rabbitmqctl',
+}
+
+# pre-install swift here so we can build rings
+include ::swift
+
+include ::keystone
+
+#TODO: need a cleanup-keystone-tokens.sh solution here
+keystone_config {
+  'ec2/driver': value => 'keystone.contrib.ec2.backends.sql.Ec2';
+}
+file { [ '/etc/keystone/ssl', '/etc/keystone/ssl/certs', '/etc/keystone/ssl/private' ]:
+  ensure  => 'directory',
+  owner   => 'keystone',
+  group   => 'keystone',
+  require => Package['keystone'],
+}
+file { '/etc/keystone/ssl/certs/signing_cert.pem':
+  content => hiera('keystone_signing_certificate'),
+  owner   => 'keystone',
+  group   => 'keystone',
+  notify  => Service['keystone'],
+  require => File['/etc/keystone/ssl/certs'],
+}
+file { '/etc/keystone/ssl/private/signing_key.pem':
+  content => hiera('keystone_signing_key'),
+  owner   => 'keystone',
+  group   => 'keystone',
+  notify  => Service['keystone'],
+  require => File['/etc/keystone/ssl/private'],
+}
+file { '/etc/keystone/ssl/certs/ca.pem':
+  content => hiera('keystone_ca_certificate'),
+  owner   => 'keystone',
+  group   => 'keystone',
+  notify  => Service['keystone'],
+  require => File['/etc/keystone/ssl/certs'],
+}
+
+# TODO: notifications, scrubber, etc.
+include ::glance::api
+include ::glance::registry
+include ::glance::backend::file
+
+class { 'nova':
+  rabbit_hosts           => [hiera('controller_host')],
+  glance_api_servers     => join([hiera('glance_protocol'), '://', hiera('controller_host'), ':', hiera('glance_port')]),
+}
+
+include ::nova::api
+include ::nova::cert
+include ::nova::conductor
+include ::nova::consoleauth
+include ::nova::vncproxy
+include ::nova::scheduler
+
+class {'neutron':
+  rabbit_hosts => [hiera('controller_host')],
+}
+
+include ::neutron::server
+include ::neutron::agents::dhcp
+
+class { 'neutron::plugins::ml2':
+  flat_networks        => split(hiera('neutron_flat_networks'), ','),
+}
+
+class { 'neutron::agents::ml2::ovs':
+  bridge_mappings  => split(hiera('neutron_bridge_mappings'), ','),
+}
+
+# swift proxy
+include ::memcached
+include ::swift::proxy
+include ::swift::proxy::proxy_logging
+include ::swift::proxy::healthcheck
+include ::swift::proxy::cache
+include ::swift::proxy::keystone
+include ::swift::proxy::authtoken
+include ::swift::proxy::staticweb
+include ::swift::proxy::ceilometer
+include ::swift::proxy::ratelimit
+include ::swift::proxy::catch_errors
+include ::swift::proxy::tempauth
+include ::swift::proxy::tempurl
+include ::swift::proxy::formpost
+
+# swift storage
+class {'swift::storage::all':
+  mount_check => str2bool(hiera('swift_mount_check'))
+}
+if(!defined(File['/srv/node'])) {
+  file { '/srv/node':
+    ensure  => directory,
+    owner   => 'swift',
+    group   => 'swift',
+    require => Package['openstack-swift'],
+  }
+}
+$swift_components = ['account', 'container', 'object']
+swift::storage::filter::recon { $swift_components : }
+swift::storage::filter::healthcheck { $swift_components : }
+
+# Ceilometer
+include ::ceilometer
+include ::ceilometer::api
+include ::ceilometer::db
+include ::ceilometer::agent::notification
+include ::ceilometer::agent::central
+include ::ceilometer::alarm::notifier
+include ::ceilometer::alarm::evaluator
+include ::ceilometer::expirer
+include ::ceilometer::collector
+class { 'ceilometer::agent::auth':
+  auth_url => join(['http://', hiera('controller_host'), ':5000/v2.0']),
+}
+
+Cron <| title == 'ceilometer-expirer' |> { command => "sleep $((\$(od -A n -t d -N 3 /dev/urandom) % 86400)) && ${::ceilometer::params::expirer_command}" }
+
+# Heat
+include ::heat
+include ::heat::api
+include ::heat::api_cfn
+include ::heat::api_cloudwatch
+include ::heat::engine
+
+$snmpd_user = hiera('snmpd_readonly_user_name')
+snmp::snmpv3_user { $snmpd_user:
+  authtype => 'MD5',
+  authpass => hiera('snmpd_readonly_user_password'),
+}
+class { 'snmp':
+  agentaddress => ['udp:161','udp6:[::1]:161'],
+  snmpd_config => [ join(['rouser ', hiera('snmpd_readonly_user_name')]), 'proc  cron', 'includeAllDisks  10%', 'master agentx', 'trapsink localhost public', 'iquerySecName internalUser', 'rouser internalUser', 'defaultMonitors yes', 'linkUpDownNotifications yes' ],
+}
+
+class { 'nova::compute':
+  enabled => true,
+}
+
+nova_config {
+  'DEFAULT/my_ip':                     value => $ipaddress;
+  'DEFAULT/linuxnet_interface_driver': value => 'nova.network.linux_net.LinuxOVSInterfaceDriver';
+}
+
+
+class { 'nova::compute::ironic':
+  admin_user        => 'ironic',
+  admin_passwd    => hiera('ironic::api::admin_password'),
+  admin_tenant_name => hiera('ironic::api::admin_tenant_name'),
+  api_endpoint      => join(['http://', hiera('controller_host'), ':6385/v1']),
+}
+
+class { 'nova::network::neutron':
+  neutron_admin_auth_url    => join(['http://', hiera('controller_host'), ':35357/v2.0']),
+  neutron_url               => join(['http://', hiera('controller_host'), ':9696']),
+  neutron_admin_password    => hiera('neutron::server::auth_password'),
+  neutron_admin_tenant_name => hiera('neutron::server::auth_tenant'),
+  neutron_region_name       => '',
+}
+
+include ::ironic::conductor
+
+class { 'ironic':
+  enabled_drivers => ['pxe_ipmitool', 'pxe_ssh']
+}
+
+class { 'ironic::api':
+  host_ip => hiera('controller_host'),
+}
+
+ironic_config {
+  'DEFAULT/my_ip':                value => hiera('controller_host');
+  'glance/host':                  value => hiera('glance::api::bind_host');
+}

elements/puppet-stack-config/puppet-stack-config.yaml.template

@@ -0,0 +1,185 @@
+debug: false
+controller_host: {{LOCAL_IP}} #local-ipv4
+ntp::servers:
+  -
+
+# Common Hiera data gets applied to all nodes
+ssh::server::storeconfigs_enabled: false
+
+# ceilometer settings used by compute and controller ceilo auth settings
+ceilometer::agent::auth::auth_region: 'regionOne'
+# FIXME: Might be better to use 'service' tenant here but this requires
+# changes in the tripleo-incubator keystone role setup
+ceilometer::agent::auth::auth_tenant_name: 'admin'
+
+# Swift
+swift::proxy::proxy_local_net_ip: {{LOCAL_IP}}
+swift::proxy::authtoken::auth_host: {{LOCAL_IP}}
+swift::storage::all::storage_local_net_ip: {{LOCAL_IP}}
+swift::swift_hash_suffix: {{UNDERCLOUD_SWIFT_HASH_SUFFIX}}
+swift::proxy::account_autocreate: true
+swift::proxy::authtoken::admin_password: {{UNDERCLOUD_SWIFT_PASSWORD}}
+tripleo::ringbuilder::part_power: 10
+tripleo::ringbuilder::replicas: 3
+tripleo::ringbuilder::min_part_hours: 1
+swift_mount_check: false
+
+swift::proxy::pipeline:
+  - 'catch_errors'
+  - 'healthcheck'
+  - 'cache'
+  - 'ratelimit'
+  - 'tempurl'
+  - 'formpost'
+  - 'staticweb'
+  - 'ceilometer'
+  - 'authtoken'
+  - 'keystone'
+  - 'proxy-logging'
+  - 'proxy-server'
+
+# NOTE(dprince): build_ring support is currently not wired in.
+# See: https://review.openstack.org/#/c/109225/
+tripleo::ringbuilder::build_ring: True
+
+# Glance
+glance::api::bind_port: 9292
+glance::api::bind_host: {{LOCAL_IP}}
+glance::api::auth_host: {{LOCAL_IP}}
+glance::api::registry_host: {{LOCAL_IP}}
+glance::api::keystone_password: {{UNDERCLOUD_GLANCE_PASSWORD}}
+glance::api::known_stores:
+  - glance.store.filesystem.Store
+  - glance.store.swift.Store
+glance::api::pipeline: 'keystone'
+# used to construct glance_api_servers
+glance_port: 9292
+glance_protocol: http
+glance_notifier_strategy: noop
+glance_log_file: ''
+glance::api::database_connection: mysql://glance:unset@{{LOCAL_IP}}/glance
+glance::registry::keystone_password: {{UNDERCLOUD_GLANCE_PASSWORD}}
+glance::registry::database_connection: mysql://glance:unset@{{LOCAL_IP}}/glance
+glance::registry::bind_host: {{LOCAL_IP}}
+glance::registry::auth_host: {{LOCAL_IP}}
+glance::registry::manage_service: true
+glance::registry::pipeline: 'keystone'
+
+# Heat
+heat_stack_domain_admin_password: {{UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD}}
+heat::engine::configure_delegated_roles: false
+heat::engine::heat_stack_user_role: 'heat_stack_user'
+heat::engine::heat_watch_server_url: http://{{LOCAL_IP}}:8003
+heat::engine::heat_metadata_server_url: http://{{LOCAL_IP}}:8000
+heat::engine::heat_waitcondition_server_url: http://{{LOCAL_IP}}:8000/v1/waitcondition
+heat::engine::trusts_delegated_roles: []
+heat::engine::auth_encryption_key: unset___________
+heat::instance_user: heat-admin
+heat::rabbit_userid: {{UNDERCLOUD_RABBIT_USERNAME}}
+heat::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+heat::rabbit_host: {{LOCAL_IP}}
+heat::keystone_host: {{LOCAL_IP}}
+heat::keystone_password: {{UNDERCLOUD_HEAT_PASSWORD}}
+heat::api::bind_host: {{LOCAL_IP}}
+heat::api_cloudwatch::bind_host: {{LOCAL_IP}}
+heat::api_cfn::bind_host: {{LOCAL_IP}}
+heat::database_connection: mysql://heat:unset@{{LOCAL_IP}}/heat
+heat_dsn: mysql://heat:unset@{{LOCAL_IP}}/heat
+
+# Keystone
+keystone::admin_token: {{UNDERCLOUD_ADMIN_TOKEN}}
+keystone_ca_certificate: '{{KEYSTONE_CA_CERTIFICATE}}'
+keystone_signing_key: '{{KEYSTONE_SIGNING_KEY}}'
+keystone_signing_certificate: '{{KEYSTONE_SIGNING_CERTIFICATE}}'
+keystone::database_connection: mysql://keystone:unset@{{LOCAL_IP}}/keystone
+keystone::public_bind_host: 0.0.0.0
+keystone::admin_bind_host: 0.0.0.0
+
+# MySQL
+admin_password: {{UNDERCLOUD_ADMIN_PASSWORD}}
+mysql_innodb_buffer_pool_size: 0
+mysql_root_password: ''
+mysql_cluster_name: unset
+mysql::server::manage_config_file: true
+
+# Neutron
+neutron::bind_host: {{LOCAL_IP}}
+neutron::core_plugin: ml2
+neutron::dhcp_agents_per_network: 2
+neutron::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+neutron::rabbit_user: {{UNDERCLOUD_RABBIT_USER}}
+neutron::server::auth_host: {{LOCAL_IP}}
+neutron::server::database_connection: mysql://neutron:unset@{{LOCAL_IP}}/neutron
+neutron::server::sync_db: true
+neutron::agents::ml2::ovs::enable_tunneling: True
+neutron::agents::ml2::ovs::local_ip: {{LOCAL_IP}}
+neutron_flat_networks: ''
+neutron_mechanism_drivers: openvswitch
+neutron_bridge_mappings: ctlplane:br-ctlplane
+neutron_public_interface: {{LOCAL_INTERFACE}}
+neutron_physical_bridge: br-ctlplane
+neutron::server::auth_password: {{UNDERCLOUD_NEUTRON_PASSWORD}}
+neutron::agents::metadata::auth_password: {{UNDERCLOUD_NEUTRON_PASSWORD}}
+
+# Ceilometer
+ceilometer::metering_secret: {{UNDERCLOUD_CEILOMETER_METERING_SECRET}}
+ceilometer::rabbit_userid: {{UNDERCLOUD_RABBIT_USERNAME}}
+ceilometer::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+ceilometer::rabbit_host: {{LOCAL_IP}}
+ceilometer::api::host: {{LOCAL_IP}}
+ceilometer::api::keystone_password: {{UNDERCLOUD_CEILOMETER_PASSWORD}}
+ceilometer::api::keystone_host: {{LOCAL_IP}}
+ceilometer::db::database_connection: mysql://ceilometer:unset@{{LOCAL_IP}}/ceilometer
+ceilometer::agent::auth::auth_password: {{UNDERCLOUD_CEILOMETER_PASSWORD}}
+ceilometer_compute_agent: ''
+snmpd_readonly_user_name: {{UNDERCLOUD_CEILOMETER_SNMPD_USER}}
+snmpd_readonly_user_password: {{UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD}}
+
+# Nova
+nova::rabbit_userid: {{UNDERCLOUD_RABBIT_USERNAME}}
+nova::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+nova::api::auth_host: {{LOCAL_IP}}
+nova::api::api_bind_address: {{LOCAL_IP}}
+nova::api::enabled: true
+nova::api::metadata_listen: {{LOCAL_IP}}
+nova::api::admin_password: {{UNDERCLOUD_NOVA_PASSWORD}}
+nova::api::osapi_v3: true
+nova::conductor::enabled: true
+nova::consoleauth::enabled: true
+nova::database_connection: mysql://nova:unset@{{LOCAL_IP}}/nova
+nova::network::neutron::neutron_admin_password: {{UNDERCLOUD_NEUTRON_PASSWORD}}
+nova::notify_on_state_change: 'vm_and_task_state'
+nova::scheduler::enabled: true
+
+# Ironic
+ironic::api::admin_password: {{UNDERCLOUD_IRONIC_PASSWORD}}
+ironic::api::auth_host: {{LOCAL_IP}}
+ironic::database_connection: mysql://ironic:unset@{{LOCAL_IP}}/ironic
+ironic::rabbit_host: {{LOCAL_IP}}
+ironic::rabbit_hosts: {{LOCAL_IP:5672}}
+ironic::rabbit_userid: {{UNDERCLOUD_RABBIT_USERNAME}}
+ironic::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+
+# Rabbit
+rabbit_client_port: 5672
+rabbit_client_use_ssl: false
+rabbit_cookie: {{UNDERCLOUD_RABBIT_COOKIE}}
+rabbitmq::delete_guest_user: false
+rabbitmq::package_source: undef
+rabbitmq::port: '5672'
+rabbitmq::repos_ensure: false
+rabbitmq::wipe_db_on_cookie_change: true
+rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
+rabbit_username: {{UNDERCLOUD_RABBIT_USERNAME}}
+
+# service tenant
+ceilometer::api::keystone_tenant: 'service'
+cinder::api::keystone_tenant: 'service'
+glance::api::keystone_tenant: 'service'
+glance::registry::keystone_tenant: 'service'
+heat::keystone_tenant: 'service'
+ironic::api::admin_tenant_name: 'service'
+neutron::agents::metadata::auth_tenant: 'service'
+neutron::server::auth_tenant: 'service'
+nova::api::admin_tenant_name: 'service'
+swift::proxy::authtoken::admin_tenant_name: 'service'

elements/undercloud-install/package-installs.yaml

@@ -0,0 +1 @@
+openstack-selinux:

elements/undercloud-install/post-install.d/76-nova-conf-file-injection

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-set -eux
-
-TEMPLATE_PATH=$(os-apply-config --print-templates)
-
-sed -i "s/\[baremetal\]/\[baremetal\]\nuse_file_injection=False/" $TEMPLATE_PATH/etc/nova/nova.conf
-cat >> $TEMPLATE_PATH/etc/nova/nova.conf <<EOF
-[libvirt]
-inject_partition=-2
-EOF

elements/undercloud-install/post-install.d/90-restart-xinetd

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-set -eux
-
-# xinetd controls starting the tftpd daemon so pxelinux.0 can be downloaded.
-# This is not needed upstream b/c usually it starts on boot, but we aren't
-# booting an undercloud here, we're installing one.
-systemctl restart xinetd

elements/undercloud-post-config/os-refresh-config/post-configure.d/98-undercloud-setup

@@ -41,7 +41,7 @@ tripleo wait_for 12 10 service $KEYSTONE_SERVICE status
 # Because keystone just still isn't up yet...
 sleep 20
 
-export UNDERCLOUD_IP=$(os-apply-config --key local-ipv4 --type netaddress)
+export UNDERCLOUD_IP=$(os-apply-config --key local-ip --type netaddress)
 
 init-keystone -o $UNDERCLOUD_IP -t $UNDERCLOUD_ADMIN_TOKEN \
     -e admin@example.com -p $UNDERCLOUD_ADMIN_PASSWORD -u root
@@ -102,4 +102,10 @@ nova quota-update --cores -1 --instances -1 --ram -1 $(keystone tenant-get admin
 # instack-prepare-for-overcloud
 rm -rf $HOME/.novaclient
 
+# restart openstack-nova-compute
+# When installing via puppet, nova-compute fails the first time because the
+# ironic user does not yet exist. Now that the user has been created via
+# setup-endpoints, we need to restart the service.
+systemctl restart openstack-nova-compute
+
 touch $OK_FILE

elements/undercloud-stack-config/config.json.template

@@ -1,160 +1,48 @@
 {
-  "OpenStack::Heat::Stack": {
-  },
-  "deployment-mode": "{{DEPLOYMENT_MODE}}",
-  "admin-password": "{{UNDERCLOUD_ADMIN_PASSWORD}}",
-  "admin-token": "{{UNDERCLOUD_ADMIN_TOKEN}}",
-  "db-password": "{{UNDERCLOUD_DB_PASSWORD}}",
-  "local-ipv4": "{{LOCAL_IP}}",
-  "keystone": {
-    "host": "127.0.0.1",
-    "db": "mysql://keystone:{{UNDERCLOUD_DB_PASSWORD}}@localhost/keystone"
-  },
-  "rabbit": {
-    "host": "127.0.0.1",
-    "password": "guest",
-    "username": "guest",
-    "cookie": "changeme"
-  },
-  "glance": {
-    "backend": "file",
-    "host": "127.0.0.1",
-    "protocol": "http",
-    "port": "9292",
-    "db": "mysql://glance:{{UNDERCLOUD_DB_PASSWORD}}@localhost/glance",
-    "service-password": "{{UNDERCLOUD_GLANCE_PASSWORD}}",
-    "notifier-strategy": "noop",
-    "log-file": "''"
-  },
-  "nova": {
-    "compute_hostname": "undercloud",
-    "host": "127.0.0.1",
-    "db":    "mysql://nova:{{UNDERCLOUD_DB_PASSWORD}}@localhost/nova",
-    "baremetal": {},
-    "compute_driver": "nova.virt.ironic.driver.IronicDriver",
-    "compute_manager": "ironic.nova.compute.manager.ClusteredComputeManager",
-    "scheduler_host_manager": "nova.scheduler.ironic_host_manager.IronicHostManager",
-    "tuning": {
-        "ram_allocation_ratio": "1.0",
-        "reserved_host_memory_mb": "0"
-    },
-    "metadata-proxy": "false",
-    "service-password": "{{UNDERCLOUD_NOVA_PASSWORD}}",
-    "config": [
-        {"section": "DEFAULT",
-         "values": [
-            {"option": "scheduler_use_baremetal_filters",
-             "value": "{{SCHEDULER_USE_BAREMETAL_FILTERS}}"
-            },
-            {"option": "scheduler_default_filters",
-             "value": "{{SCHEDULER_DEFAULT_FILTERS}}"
-            },
-            {"option": "baremetal_scheduler_default_filters",
-             "value": "{{BAREMETAL_SCHEDULER_DEFAULT_FILTERS}}"
-            }
-         ]
-       }
-    ]
-  },
-  "ironic": {
-    "db": "mysql://ironic:{{UNDERCLOUD_DB_PASSWORD}}@localhost/ironic",
-    "service-password": "{{UNDERCLOUD_IRONIC_PASSWORD}}",
-    "config" : [
-      {
-        "values": [
-           { "option": "pxe_append_params",
-             "value": "biosdevname=1"
-           }
-        ],
-        "section": "pxe"
-      },
-      {
-        "section": "discoverd",
-        "values": [
-          { "option": "enabled",
-            "value": "true"
-          }
-        ]
-      }
-    ]
-  },
-  "bootstack": {
-    "public_interface_ip": "{{LOCAL_IP}}/24",
-    "masquerade_networks": ["{{MASQUERADE_NETWORK}}"]
-  },
-  "cinder": {
-    "db": "mysql://cinder:{{UNDERCLOUD_DB_PASSWORD}}@localhost/cinder",
-    "volume_size_mb": "5000",
-    "service-password": "{{UNDERCLOUD_CINDER_PASSWORD}}"
-  },
+ "hiera": {
+  "hierarchy": [
+   "puppet-stack-config"
+  ]},
+  "local-ip": "{{LOCAL_IP}}",
+  "masquerade_networks": ["{{MASQUERADE_NETWORK}}"],
   "neutron": {
-    "host": "127.0.0.1",
-    "ovs_db": "mysql://neutron:{{UNDERCLOUD_DB_PASSWORD}}@localhost/ovs_neutron?charset=utf8",
-    "ovs": {
-      "bridge_mappings": "ctlplane:br-ctlplane",
-      "dnsmasq_range": ["192.0.2.4", "192.0.2.4"],
-      "enable_tunneling": "False",
-      "network_vlan_ranges": "ctlplane",
-      "physical_bridge": "br-ctlplane",
-      "physical_network": "ctlplane",
-      "public_interface": "{{LOCAL_INTERFACE}}",
-      "tenant_network_type": "vlan",
-      "local_ip": "{{LOCAL_IP}}"
-    },
-    "service-password": "{{UNDERCLOUD_NEUTRON_PASSWORD}}",
     "dhcp_start": "{{DHCP_START}}",
     "dhcp_end": "{{DHCP_END}}",
     "network_cidr": "{{NETWORK_CIDR}}",
     "network_gateway": "{{NETWORK_GATEWAY}}"
   },
-  "heat": {
-    "db": "mysql://heat:{{UNDERCLOUD_DB_PASSWORD}}@localhost/heat",
-    "auth_encryption_key": "unset___________",
-    "watch_server_url": "http://{{LOCAL_IP}}:8003",
-    "waitcondition_server_url": "http://{{LOCAL_IP}}:8000/v1/waitcondition",
-    "metadata_server_url": "http://{{LOCAL_IP}}:8000",
-    "admin_tenant_name": "service",
-    "admin_user": "heat",
-    "admin_password": "{{UNDERCLOUD_HEAT_PASSWORD}}"
-  },
-  "horizon": {
-    "secret_key": "unset___________"
-  },
-  "tuskar": {
-    "service-password": "{{UNDERCLOUD_TUSKAR_PASSWORD}}",
-    "db": "mysql://tuskar:{{UNDERCLOUD_DB_PASSWORD}}@localhost/tuskar?charset=utf8",
-    "heat_keystone": {
-      "username": "admin",
-      "password": "unset",
-      "tenant_name": "admin"
-    }
-  },
-  "ceilometer": {
-    "service-password": "{{UNDERCLOUD_CEILOMETER_PASSWORD}}",
-    "db": "mysql://ceilometer:{{UNDERCLOUD_DB_PASSWORD}}@localhost/ceilometer?charset=utf8",
-    "metering_secret": "unset",
-    "snmpd_readonly_user_name": "ro_snmp_user",
-    "snmpd_readonly_user_password": "{{UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD}}"
-  },
-  "bootstrap_host": {
-    "bootstrap_nodeid": "undercloud",
-    "nodeid": "undercloud"
-  },
-  "corosync": {
-    "mcastport": "5577",
-    "bindnetaddr": "{{LOCAL_IP}}",
-    "nodes": [
-      { "ip": "{{LOCAL_IP}}" }
-    ]
-  },
-  "pacemaker": {
-    "stonith_enabled": "false",
-    "recheck_interval": "5",
-    "quorum_policy": "ignore"
-  },
   "discovery": {
     "interface": "{{DISCOVERY_INTERFACE}}",
     "iprange": "{{DISCOVERY_IPRANGE}}",
     "pxeip": "{{DISCOVERY_PXEIP}}"
+  },
+  "os_net_config": {
+   "network_config": [
+     {
+      "type": "ovs_bridge",
+      "name": "br-ctlplane",
+      "ovs_extra": [
+       "br-set-external-id br-ctlplane bridge-id br-ctlplane"
+      ],
+      "members": [
+       {
+        "type": "interface",
+        "name": "{{LOCAL_INTERFACE}}",
+        "primary": "true"
+       }
+      ],
+      "addresses": [
+        {
+          "ip_netmask": "{{LOCAL_IP}}/24"
+        }
+      ]
+    }
+   ]
+  },
+  "tuskar": {
+    "service-password": "{{UNDERCLOUD_TUSKAR_PASSWORD}}"
+  },
+  "ironic": {
+    "service-password": "{{UNDERCLOUD_IRONIC_PASSWORD}}"
   }
 }

elements/undercloud-stack-config/install.d/02-undercloud-stack-heat-metadata

@@ -14,37 +14,9 @@ template = os.path.join(os.path.dirname(__file__),
                         '..',
                         'config.json.template')
 
-
 context = { 
-    'DEPLOYMENT_MODE': os.environ.get('DEPLOYMENT_MODE', 'poc'),
-    'SCHEDULER_DEFAULT_FILTERS':
-        os.environ.get('SCHEDULER_DEFAULT_FILTERS',
-                       'RetryFilter,'
-                       'AvailabilityZoneFilter,'
-                       'RamFilter,'
-                       'DiskFilter,'
-                       'CoreFilter,'
-                       'ComputeFilter,'
-                       'ComputeCapabilitiesFilter,'
-                       'ImagePropertiesFilter,'
-                       'ServerGroupAntiAffinityFilter,'
-                       'ServerGroupAffinityFilter'),
-    'BAREMETAL_SCHEDULER_DEFAULT_FILTERS':
-        os.environ.get('BAREMETAL_SCHEDULER_DEFAULT_FILTERS',
-                       'RetryFilter,'
-                       'AvailabilityZoneFilter,'
-                       'ComputeFilter,'
-                       'ComputeCapabilitiesFilter,'
-                       'ImagePropertiesFilter,'
-                       'ExactRamFilter,'
-                       'ExactDiskFilter,'
-                       'ExactCoreFilter,'
-                       'ServerGroupAntiAffinityFilter,'
-                       'ServerGroupAffinityFilter'),
     'LOCAL_IP': os.environ.get('LOCAL_IP', '192.0.2.1'),
     'LOCAL_INTERFACE': os.environ.get('LOCAL_INTERFACE', 'eth1'),
-    'DNSMASQ_START': os.environ.get('DNSMASQ_START', '192.0.2.4'),
-    'DNSMASQ_END': os.environ.get('DNSMASQ_END', '192.0.2.4'),
     'MASQUERADE_NETWORK': os.environ.get('MASQUERADE_NETWORK', '192.0.2.0/24'),
     'DHCP_START': os.environ.get('DHCP_START', '192.0.2.5'),
     'DHCP_END': os.environ.get('DHCP_END', '192.0.2.24'),
@@ -53,24 +25,10 @@ context = {
     'DISCOVERY_INTERFACE': os.environ.get('DISCOVERY_INTERFACE', 'br-ctlplane'),
     'DISCOVERY_IPRANGE': os.environ.get('DISCOVERY_IPRANGE', '192.0.2.100,192.0.2.120'),
     'DISCOVERY_PXEIP': os.environ.get('DISCOVERY_PXEIP', '192.0.2.1'),
-    'UNDERCLOUD_DB_PASSWORD': os.environ.get('UNDERCLOUD_DB_PASSWORD', 'unset'),
-    'UNDERCLOUD_ADMIN_TOKEN': os.environ.get('UNDERCLOUD_ADMIN_TOKEN', 'unset'),
-    'UNDERCLOUD_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_ADMIN_PASSWORD', 'unset'),
-    'UNDERCLOUD_CEILOMETER_PASSWORD': os.environ.get('UNDERCLOUD_CEILOMETER_PASSWORD', 'unset'),
-    'UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD': os.environ.get('UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD', 'unset'),
-    'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
-    'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),
-    'UNDERCLOUD_NEUTRON_PASSWORD': os.environ.get('UNDERCLOUD_NEUTRON_PASSWORD', 'unset'),
-    'UNDERCLOUD_NOVA_PASSWORD': os.environ.get('UNDERCLOUD_NOVA_PASSWORD', 'unset'),
     'UNDERCLOUD_TUSKAR_PASSWORD': os.environ.get('UNDERCLOUD_TUSKAR_PASSWORD', 'unset'),
-    'UNDERCLOUD_IRONIC_PASSWORD': os.environ.get('UNDERCLOUD_IRONIC_PASSWORD', 'unset')
+    'UNDERCLOUD_IRONIC_PASSWORD': os.environ.get('UNDERCLOUD_IRONIC_PASSWORD', 'unset'),
 }
 
-if context['DEPLOYMENT_MODE'] == 'scale':
-    context['SCHEDULER_USE_BAREMETAL_FILTERS'] = 'True'
-else:
-    context['SCHEDULER_USE_BAREMETAL_FILTERS'] = 'False'
-
 with open(template) as f:
     config_json = renderer.render(f.read(), context)
 
@@ -80,11 +38,6 @@ if not os.path.exists(os.path.dirname(cfn_path)):
 with open(cfn_path, 'w') as f:
     f.write(config_json)
 
-# For future reference, we could also generate this separately and combine the
-# cfn-init-data with the generated keystone data with:
-# jq -s '.[0].keystone=(.[0].keystone + .[1].keystone) | .[0]' cfn.json key.json 
-subprocess.check_call(['generate-keystone-pki', '-s', '--heatenv', cfn_path])
-
 # Make the json pretty again
 tmpfile = tempfile.mkstemp()[1]
 outfile = open(tmpfile, 'w')

elements/undercloud-stack-config/os-apply-config/root/stackrc

@@ -0,0 +1,7 @@
+export NOVA_VERSION=1.1
+export OS_PASSWORD=$(hiera admin_password)
+export OS_AUTH_URL=http://{{local-ip}}:5000/v2.0
+export OS_USERNAME=admin
+export OS_TENANT_NAME=admin
+export COMPUTE_API_VERSION=1.1
+export OS_NO_CACHE=True

elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords

@@ -1,11 +1,11 @@
-UNDERCLOUD_DB_PASSWORD={{db-password}}
-UNDERCLOUD_ADMIN_TOKEN={{admin-token}}
-UNDERCLOUD_ADMIN_PASSWORD={{admin-password}}
-UNDERCLOUD_GLANCE_PASSWORD={{glance.service-password}}
-UNDERCLOUD_HEAT_PASSWORD={{heat.admin_password}}
-UNDERCLOUD_NEUTRON_PASSWORD={{neutron.service-password}}
-UNDERCLOUD_NOVA_PASSWORD={{nova.service-password}}
-UNDERCLOUD_IRONIC_PASSWORD={{ironic.service-password}}
+UNDERCLOUD_DB_PASSWORD=$(hiera admin_password)
+UNDERCLOUD_ADMIN_TOKEN=$(hiera keystone::admin_token)
+UNDERCLOUD_ADMIN_PASSWORD=$(hiera admin_password)
+UNDERCLOUD_GLANCE_PASSWORD=$(hiera glance::api::keystone_password)
+UNDERCLOUD_HEAT_PASSWORD=$(hiera heat::keystone_password)
+UNDERCLOUD_NEUTRON_PASSWORD=$(hiera neutron::server::auth_password)
+UNDERCLOUD_NOVA_PASSWORD=$(hiera nova::api::admin_password)
+UNDERCLOUD_IRONIC_PASSWORD=$(hiera ironic::api::admin_password)
 UNDERCLOUD_TUSKAR_PASSWORD={{tuskar.service-password}}
-UNDERCLOUD_CEILOMETER_PASSWORD={{ceilometer.service-password}}
-UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD={{ceilometer.snmpd_readonly_user_password}}
+UNDERCLOUD_CEILOMETER_PASSWORD=$(hiera ceilometer::api::keystone_password)
+UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(hiera snmpd_readonly_user_password)

elements/undercloud-stack-config/os-apply-config/var/opt/undercloud-stack/masquerade

@@ -5,13 +5,13 @@ iptables -t nat -D POSTROUTING -j BOOTSTACK_MASQ_NEW || true
 iptables -t nat -X BOOTSTACK_MASQ_NEW || true
 iptables -t nat -N BOOTSTACK_MASQ_NEW
 # Build the chain we want.
-{{#bootstack.masquerade_networks}}
+{{#masquerade_networks}}
 NETWORK={{.}}
 # Workaround iptables not permitting two -d parameters in one call.
 iptables -t nat -A BOOTSTACK_MASQ_NEW -s $NETWORK -d 192.168.122.1 -j RETURN
 iptables -t nat -A BOOTSTACK_MASQ_NEW -s $NETWORK ! -d $NETWORK -j MASQUERADE
 iptables -t nat -A POSTROUTING -s $NETWORK -o eth0 -j MASQUERADE
-{{/bootstack.masquerade_networks}}
+{{/masquerade_networks}}
 # Link it in.
 iptables -t nat -I POSTROUTING -j BOOTSTACK_MASQ_NEW
 # Delete the old chain if present.

elements/undercloud-stack-config/post-install.d/10-tuskar-role-directory

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-basedir=$(os-refresh-config --print-base)
-mkdir $basedir/environment.d
-cat > $basedir/environment.d/10-tuskar-role-directory <<EOF
-export TUSKAR_ROLE_DIRECTORY=$TUSKAR_ROLE_DIRECTORY
-EOF

instack.answers.sample

@@ -109,7 +109,47 @@ UNDERCLOUD_TUSKAR_PASSWORD=
 # If left unset, one will be automatically generated
 UNDERCLOUD_CEILOMETER_PASSWORD=
 
+### Ceilometer metering secret ###
+# Ceilometer metering secret
+# If left unset, one will be automatically generated
+UNDERCLOUD_CEILOMETER_METERING_SECRET=
+
+### Ceilometer snmpd user ###
+# Ceilometer snmpd user
+# If left unset, one will be automatically generated
+UNDERCLOUD_CEILOMETER_SNMPD_USER=
+
 ### Ceilometer snmpd password ###
 # Ceilometer snmpd password
 # If left unset, one will be automatically generated
 UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=
+
+### Swift password ###
+# Swift password
+# If left unset, one will be automatically generated
+UNDERCLOUD_SWIFT_PASSWORD=
+
+### Rabbit Cookie ###
+# Rabbit Cookie
+# If left unset, one will be automatically generated
+UNDERCLOUD_RABBIT_COOKIE=
+
+### Rabbit Password ###
+# Rabbit Password
+# If left unset, one will be automatically generated
+UNDERCLOUD_RABBIT_PASSWORD=
+
+### Rabbit Username ###
+# Rabbit Username
+# If left unset, one will be automatically generated
+UNDERCLOUD_RABBIT_USERNAME=
+
+### Heat Stack Domain Admin Password ###
+# Heat Stack Domain Admin Password
+# If left unset, one will be automatically generated
+UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=
+
+### Swift Hash Suffix ###
+# Swift Hash Suffix
+# If left unset, one will be automatically generated
+UNDERCLOUD_SWIFT_HASH_SUFFIX=

json-files/rhel-7-rhos-6-undercloud-packages.json

@@ -42,7 +42,6 @@
       "ceilometer-undercloud-config",
       "ironic-discoverd",
       "element-manifest",
-      "fix-undercloud-package-installs",
       "os-cloud-config",
       "install-server",
       "selinux-permissive",

json-files/rhel-7-undercloud-packages.json

@@ -23,28 +23,19 @@
       "undercloud-install",
       "rhel7",
       "rhel7-distro",
-      "boot-stack",
-      "nova-ironic",
       "os-collect-config",
       "horizon",
-      "neutron-dhcp-agent",
       "undercloud-stack-config",
-      "rabbitmq-server",
-      "mariadb-rpm",
-      "os-refresh-config-reboot",
       "common-venv",
       "undercloud-post-config",
       "undercloud-package-install",
-      "ceilometer-collector",
-      "ceilometer-api",
-      "ceilometer-agent-central",
-      "ceilometer-agent-notification",
-      "ceilometer-undercloud-config",
       "ironic-discoverd",
       "element-manifest",
       "tuskar",
-      "fix-undercloud-package-installs",
-      "os-cloud-config"
+      "ironic-conductor",
+      "os-cloud-config",
+      "os-net-config",
+      "puppet-stack-config"
     ],
     "hook": [
       "extra-data",
@@ -56,7 +47,8 @@
     "exclude-element": [
       "dkms",
       "openvswitch-datapath",
-      "pip-and-virtualenv"
+      "pip-and-virtualenv",
+      "ironic"
     ],
     "blacklist": [
       "10-cloud-init",

scripts/instack-install-undercloud

@@ -57,17 +57,10 @@ $INSTACKUNDERCLOUDELEMENTS:\
 echo "Sourcing answers file from instack.answers..."
 source ~/instack.answers
 
-export DEPLOYMENT_MODE
 export IMAGE_PATH
-export LOCAL_IP
-export DNSMASQ_START
-export DNSMASQ_END
 export LOCAL_INTERFACE
+export LOCAL_IP
 export MASQUERADE_NETWORK
-export POWER_DRIVER
-export VIRTUAL_POWER_USER
-
-export VIRTUAL_POWER_HOST
 export DHCP_START
 export DHCP_END
 export NETWORK_CIDR
@@ -76,19 +69,24 @@ export DISCOVERY_INTERFACE
 export DISCOVERY_IPRANGE
 export DISCOVERY_PXEIP
 
-export UNDERCLOUD_DB_PASSWORD=${UNDERCLOUD_DB_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_ADMIN_TOKEN=${UNDERCLOUD_ADMIN_TOKEN:-$(tripleo os-make-password)}
+export UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=${UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_RABBIT_COOKIE=${UNDERCLOUD_RABBIT_COOKIE:-$(tripleo os-make-password)}
+export UNDERCLOUD_RABBIT_PASSWORD=${UNDERCLOUD_RABBIT_PASSWORD:-guest}
+export UNDERCLOUD_RABBIT_USERNAME=${UNDERCLOUD_RABBIT_USERNAME:-guest}
+export UNDERCLOUD_SWIFT_HASH_SUFFIX=${UNDERCLOUD_SWIFT_HASH_SUFFIX:-$(tripleo os-make-password)}
 export UNDERCLOUD_ADMIN_PASSWORD=${UNDERCLOUD_ADMIN_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_GLANCE_PASSWORD=${UNDERCLOUD_GLANCE_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_HEAT_PASSWORD=${UNDERCLOUD_HEAT_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_NEUTRON_PASSWORD=${UNDERCLOUD_NEUTRON_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_NOVA_PASSWORD=${UNDERCLOUD_NOVA_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_IRONIC_PASSWORD=${UNDERCLOUD_IRONIC_PASSWORD:-$(tripleo os-make-password)}
-export UNDERCLOUD_TUSKAR_PASSWORD=${UNDERCLOUD_TUSKAR_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_ADMIN_TOKEN=${UNDERCLOUD_ADMIN_TOKEN:-$(tripleo os-make-password)}
+export UNDERCLOUD_CEILOMETER_METERING_SECRET=${UNDERCLOUD_CEILOMETER_METERING_SECRET:-$(tripleo os-make-password)}
 export UNDERCLOUD_CEILOMETER_PASSWORD=${UNDERCLOUD_CEILOMETER_PASSWORD:-$(tripleo os-make-password)}
 export UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=${UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD:-$(tripleo os-make-password)}
-
-export TUSKAR_ROLE_DIRECTORY=${TUSKAR_ROLE_DIRECTORY:-/usr/share/openstack-tripleo-heat-templates}
+export UNDERCLOUD_CEILOMETER_SNMPD_USER=${UNDERCLOUD_CEILOMETER_SNMPD_USER:-$(tripleo os-make-password)}
+export UNDERCLOUD_GLANCE_PASSWORD=${UNDERCLOUD_GLANCE_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_HEAT_PASSWORD=${UNDERCLOUD_HEAT_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_IRONIC_PASSWORD=${UNDERCLOUD_IRONIC_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_NEUTRON_PASSWORD=${UNDERCLOUD_NEUTRON_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_NOVA_PASSWORD=${UNDERCLOUD_NOVA_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_SWIFT_PASSWORD=${UNDERCLOUD_SWIFT_PASSWORD:-$(tripleo os-make-password)}
+export UNDERCLOUD_TUSKAR_PASSWORD=${UNDERCLOUD_TUSKAR_PASSWORD:-$(tripleo os-make-password)}
 
 sudo -E instack \
   -p $ELEMENTS_PATH \
@@ -104,7 +102,7 @@ if [ "$RUN_ORC" = "1" ]; then
       ssh-keygen -t rsa -N ""  -f ~/.ssh/id_rsa
     fi
 
-    command $(sudo cat /root/stackrc | xargs)
+    source <(sudo cat /root/stackrc)
     if ! nova keypair-show default 2>/dev/null; then
         tripleo user-config
     fi

scripts/instack-prepare-for-overcloud

@@ -8,7 +8,7 @@ export DEPLOY_NAME=${DEPLOY_NAME:-deploy-ramdisk-ironic}
 export DISCOVERY_NAME=${DISCOVERY_NAME:-discovery-ramdisk}
 TFTP_ROOT=${TFTP_ROOT:-/tftpboot}
 
-command $(sudo cat /root/stackrc | xargs)
+source <(sudo cat /root/stackrc)
 
 OS_AUTH_URL=${OS_AUTH_URL:-""}
 if [ -z "$OS_AUTH_URL" ]; then