From 9d82364de8d6d1fba083993e085fb8cafcc08268 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Wed, 8 Apr 2020 21:04:49 +0100 Subject: [PATCH] Refactor nova db config It is best to avoid placing db creds on the compute nodes to limit the exposure if an attacker succeeds in gaining access to the hypervisor host. Related patches in puppet-nova remove the credentials from nova.conf however the current scope of db credential hieradata is all nova tripleo services - so it will but written to the hieradata keys on compute nodes. This patch refactors the nova hieradata structure, splitting the nova-api/nova database hieradata out into individual templates and selectively including only where necessary, ensuring we have no db creds on a compute node (unless it is an all-in-one api+compute node). Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a Closes-bug: #1871482 --- .../nova/nova-api-container-puppet.yaml | 38 ++++++--- deployment/nova/nova-apidb-client-puppet.yaml | 78 ++++++++++++++++++ deployment/nova/nova-base-puppet.yaml | 72 +---------------- .../nova/nova-compute-container-puppet.yaml | 19 ++--- .../nova/nova-conductor-container-puppet.yaml | 60 +++++++++++--- deployment/nova/nova-db-client-puppet.yaml | 80 +++++++++++++++++++ .../nova/nova-ironic-container-puppet.yaml | 13 +-- .../nova/nova-libvirt-container-puppet.yaml | 11 +-- .../nova/nova-manager-container-puppet.yaml | 1 + .../nova/nova-metadata-container-puppet.yaml | 45 ++++++++--- .../nova/nova-scheduler-container-puppet.yaml | 31 ++++++- .../nova/nova-vnc-proxy-container-puppet.yaml | 19 ++++- 12 files changed, 330 insertions(+), 137 deletions(-) create mode 100644 deployment/nova/nova-apidb-client-puppet.yaml create mode 100644 deployment/nova/nova-db-client-puppet.yaml diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 29c19f3519..b850bc89db 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -152,6 +152,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova API role. @@ -180,6 +201,8 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] - get_attr: [NovaApiLogging, config_settings] - apache::default_vhost: false nova::keystone::authtoken::project_name: 'service' @@ -231,19 +254,14 @@ outputs: nova::wsgi::apache_api::workers: {get_param: NovaWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_api: - {get_param: NovaApiLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova diff --git a/deployment/nova/nova-apidb-client-puppet.yaml b/deployment/nova/nova-apidb-client-puppet.yaml new file mode 100644 index 0000000000..604a677fc4 --- /dev/null +++ b/deployment/nova/nova-apidb-client-puppet.yaml @@ -0,0 +1,78 @@ +heat_template_version: rocky + +description: > + OpenStack Nova database client service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + EnableSQLAlchemyCollectd: + type: boolean + description: > + Set to true to enable the SQLAlchemy-collectd server plugin + default: false + +conditions: + enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + +outputs: + role_data: + description: Role data for the Nova base service. + value: + config_settings: + nova::api_database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} + username: nova_api + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlInternal, host]} + path: /nova_api + query: + if: + - enable_sqlalchemy_collectd + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: nova_api + collectd_host: localhost + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + service_config_settings: + mysql: + nova::db::mysql_api::password: {get_param: NovaPassword} + nova::db::mysql_api::user: nova_api + nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + nova::db::mysql_api::dbname: nova_api + nova::db::mysql_api::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index dde8e9d866..4dcaa9e512 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -59,10 +59,6 @@ parameters: default: 'br-int' description: Name of integration bridge used by Open vSwitch type: string - DatabaseSyncTimeout: - default: 300 - description: DB Sync Timeout default - type: number Debug: type: boolean default: false @@ -294,66 +290,6 @@ outputs: nova::placement::region_name: {get_param: KeystoneRegion} nova::placement::valid_interfaces: {get_param: PlacementAPIInterface} nova::os_region_name: {get_param: KeystoneRegion} - nova::database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]} - username: nova - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlCellInternal, host]} - path: /nova - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - - nova::cell0_database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} - username: nova - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlInternal, host]} - path: /nova_cell0 - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova_cell0 - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - - nova::api_database_connection: - make_url: - scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} - username: nova_api - password: {get_param: NovaPassword} - host: {get_param: [EndpointMap, MysqlInternal, host]} - path: /nova_api - query: - if: - - enable_sqlalchemy_collectd - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - plugin: collectd - collectd_program_name: nova_api - collectd_host: localhost - - - read_default_file: /etc/my.cnf.d/tripleo.cnf - read_default_group: tripleo - nova::logging::debug: if: - service_debug_unset @@ -375,8 +311,6 @@ outputs: nova::network::neutron::auth_type: 'v3password' nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 - nova::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout} - nova::db::sync_api::db_sync_timeout: {get_param: DatabaseSyncTimeout} nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge} nova::cache::enabled: true nova::cache::backend: 'dogpile.cache.memcached' @@ -420,9 +354,5 @@ outputs: - {} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} service_config_settings: - mysql: - # NOTE(aschultz): this should be configurable if/when we support more - # complex cell v2 configurations. For now, this is the default cell - # created for the cell v2 configuration - nova::db::mysql_api::setup_cell0: true + rabbitmq: nova::rabbit_use_ssl: {get_param: RpcUseSSL} diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 7e6f65bb30..a8451a74d6 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -538,16 +538,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaComputeCommon: type: ./nova-compute-common-container-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -851,14 +848,11 @@ outputs: puppet_config: config_volume: nova_libvirt puppet_tags: nova_config,nova_paste_api_ini - step_config: - list_join: - - "\n" - - - # TODO(emilien): figure how to deal with libvirt profile. - # We'll probably treat it like we do with Neutron plugins. - # Until then, just include it in the default nova-compute role. - include tripleo::profile::base::nova::compute::libvirt - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + # TODO(emilien): figure how to deal with libvirt profile. + # We'll probably treat it like we do with Neutron plugins. + # Until then, just include it in the default nova-compute role. + include tripleo::profile::base::nova::compute::libvirt config_image: {get_param: ContainerNovaLibvirtConfigImage} kolla_config: /var/lib/kolla/config_files/nova_compute.json: @@ -984,7 +978,6 @@ outputs: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro - /var/log/containers/nova:/var/log/nova - /var/lib/container-config-scripts/:/container-config-scripts/ diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml index 401c007e8f..c215cd68bc 100644 --- a/deployment/nova/nova-conductor-container-puppet.yaml +++ b/deployment/nova/nova-conductor-container-puppet.yaml @@ -58,9 +58,14 @@ parameters: description: The password for the nova service and db account type: string hidden: true + NovaAdditionalCell: + default: false + description: Whether this is an cell additional to the default cell. + type: boolean conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + is_not_additional_cell: {equals: [{get_param: NovaAdditionalCell}, false]} resources: @@ -86,6 +91,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Conductor service. @@ -94,27 +120,28 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionNovaConductor} config_settings: map_merge: - - {get_attr: [NovaBase, role_data, config_settings]} - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell + # however cell conductor currently requires api db access for affinity checks + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - if: - nova_workers_zero - {} - nova::conductor::workers: {get_param: NovaWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + # FIXME(owalsh): NovaApiDBClient should be conditional on is_not_additional_cell + # however cell conductor currently requires api db access for affinity checks + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_conductor: - {get_param: NovaConductorLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql::password: {get_param: NovaPassword} - nova::db::mysql::user: nova - nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} - nova::db::mysql::dbname: nova - nova::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova @@ -158,7 +185,14 @@ outputs: - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro user: root - command: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'" + command: + str_replace: + template: "/usr/bin/bootstrap_host_exec nova_conductor su nova -s /bin/bash -c '/usr/bin/nova-manage db sync DB_SYNC_ARGS'" + params: + if: + - is_not_additional_cell + - DB_SYNC_ARGS: "" + - DB_SYNC_ARGS: "--local_cell" environment: TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: diff --git a/deployment/nova/nova-db-client-puppet.yaml b/deployment/nova/nova-db-client-puppet.yaml new file mode 100644 index 0000000000..db16a4e857 --- /dev/null +++ b/deployment/nova/nova-db-client-puppet.yaml @@ -0,0 +1,80 @@ +heat_template_version: rocky + +description: > + OpenStack Nova database client service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NovaPassword: + description: The password for the nova service and db account + type: string + hidden: true + EnableSQLAlchemyCollectd: + type: boolean + description: > + Set to true to enable the SQLAlchemy-collectd server plugin + default: false + +conditions: + enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + +outputs: + role_data: + description: Role data for the Nova base service. + value: + config_settings: + nova::database_connection: + make_url: + scheme: {get_param: [EndpointMap, MysqlCellInternal, protocol]} + username: nova + password: {get_param: NovaPassword} + host: {get_param: [EndpointMap, MysqlCellInternal, host]} + path: /nova + query: + if: + - enable_sqlalchemy_collectd + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + plugin: collectd + collectd_program_name: nova + collectd_host: localhost + - + read_default_file: /etc/my.cnf.d/tripleo.cnf + read_default_group: tripleo + service_config_settings: + mysql: + nova::db::mysql::password: {get_param: NovaPassword} + nova::db::mysql::user: nova + nova::db::mysql::host: {get_param: [EndpointMap, MysqlCellInternal, host_nobrackets]} + nova::db::mysql::dbname: nova + nova::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" + + diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml index 7364ae655f..5bd4a9c9ae 100644 --- a/deployment/nova/nova-ironic-container-puppet.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -83,16 +83,13 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaComputeCommon: type: ./nova-compute-common-container-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} @@ -106,6 +103,7 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Nova Compute service. @@ -131,11 +129,8 @@ outputs: puppet_config: config_volume: nova puppet_tags: nova_config,nova_paste_api_ini - step_config: - list_join: - - "\n" - - - include tripleo::profile::base::nova::compute::ironic - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + include tripleo::profile::base::nova::compute::ironic config_image: {get_param: ContainerNovaConfigImage} kolla_config: /var/lib/kolla/config_files/nova_ironic.json: diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 71fbb0dacf..92d4904771 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -340,9 +340,6 @@ resources: ContainersCommon: type: ../containers-common.yaml - MySQLClient: - type: ../../deployment/database/mysql-client.yaml - NovaLibvirtLogging: type: OS::TripleO::Services::Logging::NovaLibvirt @@ -356,6 +353,7 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the Libvirt service. @@ -558,11 +556,8 @@ outputs: puppet_config: config_volume: nova_libvirt puppet_tags: libvirtd_config,virtlogd_config,nova_config,file,libvirt_tls_password - step_config: - list_join: - - "\n" - - - include tripleo::profile::base::nova::libvirt - - {get_attr: [MySQLClient, role_data, step_config]} + step_config: | + include tripleo::profile::base::nova::libvirt config_image: {get_param: ContainerNovaLibvirtConfigImage} kolla_config: /var/lib/kolla/config_files/nova_libvirt.json: diff --git a/deployment/nova/nova-manager-container-puppet.yaml b/deployment/nova/nova-manager-container-puppet.yaml index 7d5da2d2ef..4cbecce147 100644 --- a/deployment/nova/nova-manager-container-puppet.yaml +++ b/deployment/nova/nova-manager-container-puppet.yaml @@ -56,6 +56,7 @@ resources: EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaAdditionalCell: false # API DB access required outputs: diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index 5e2afe4f8a..548c775602 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -81,6 +81,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}} + is_not_cell_local: {equals: [{get_param: NovaLocalMetadataPerCell}, false]} resources: @@ -114,6 +115,27 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Metadata service. @@ -128,6 +150,11 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] + - if: + - is_not_cell_local + - get_attr: [NovaApiDBClient, role_data, config_settings] + - {} + - get_attr: [NovaDBClient, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [NovaMetadataLogging, config_settings] - apache::default_vhost: false @@ -168,19 +195,17 @@ outputs: - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} - {} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - if: + - is_not_cell_local + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - {} + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_metadata: - {get_param: NovaMetadataLoggingSource} - mysql: - map_merge: - - {get_attr: [NovaBase, role_data, service_config_settings, mysql]} - - nova::db::mysql_api::password: {get_param: NovaPassword} - nova::db::mysql_api::user: nova_api - nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - nova::db::mysql_api::dbname: nova_api - nova::db::mysql_api::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: nova_metadata diff --git a/deployment/nova/nova-scheduler-container-puppet.yaml b/deployment/nova/nova-scheduler-container-puppet.yaml index 234c8143df..7ad3b8f774 100644 --- a/deployment/nova/nova-scheduler-container-puppet.yaml +++ b/deployment/nova/nova-scheduler-container-puppet.yaml @@ -142,6 +142,26 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaApiDBClient: + type: ./nova-apidb-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + outputs: role_data: @@ -151,8 +171,10 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionNovaScheduler} config_settings: map_merge: - - {get_attr: [NovaBase, role_data, config_settings]} - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaApiDBClient, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - nova::scheduler::filter::scheduler_available_filters: {get_param: NovaSchedulerAvailableFilters} nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} nova::scheduler::filter::scheduler_max_attempts: {get_param: NovaSchedulerMaxAttempts} @@ -168,6 +190,11 @@ outputs: - {} - nova::scheduler::workers: {get_param: NovaSchedulerWorkers} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaApiDBClient, role_data, service_config_settings, mysql] + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_scheduler: - {get_param: NovaSchedulerLoggingSource} diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index c8b4479f7a..276d44d2ce 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -138,6 +138,17 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + NovaDBClient: + type: ./nova-db-client-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + outputs: role_data: description: Role data for the Nova Vncproxy service. @@ -150,7 +161,9 @@ outputs: - 13080 config_settings: map_merge: - - {get_attr: [NovaLogging, config_settings]} + - get_attr: [NovaBase, role_data, config_settings] + - get_attr: [NovaDBClient, role_data, config_settings] + - get_attr: [NovaLogging, config_settings] - nova::vncproxy::enabled: true nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyCellPublic, protocol]} nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyCellPublic, host_nobrackets]} @@ -226,6 +239,10 @@ outputs: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - {} service_config_settings: + rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} + mysql: + map_merge: + - get_attr: [NovaDBClient, role_data, service_config_settings, mysql] rsyslog: tripleo_logging_sources_nova_vnc_proxy: - {get_param: NovaVncproxyLoggingSource}