openstack
/
tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/deployment/nova/nova-base-puppet.yaml

304 lines
12 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack Nova base service. Shared for all Nova services.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
NovaPassword:
description: The password for the nova service and db account
type: string
hidden: true
NeutronPassword:
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
PlacementPassword:
description: The password for the Placement service and db account
type: string
hidden: true
PlacementAPIInterface:
type: string
description: >
Endpoint interface to be used for the placement API.
default: 'internal'
NovaOVSBridge:
default: 'br-int'
description: Name of integration bridge used by Open vSwitch
type: string
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
NovaDebug:
default: false
description: Set to True to enable debugging Nova services.
type: boolean
EnableCache:
description: Enable caching with memcached
type: boolean
default: true
EnableConfigPurge:
type: boolean
default: false
description: >
Remove configuration that is not generated by TripleO. Used to avoid
configuration remnants after upgrades.
UpgradeLevelNovaCompute:
type: string
description: Nova Compute upgrade level
default: ''
NovaApiPolicies:
description: |
A hash of policies to configure for Nova API.
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
NovaRestrictLiveMigration:
type: boolean
description: |
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
api policy to the NovaLiveMigrationRole role. This can be used to
disallow the default admin role use live migration.
Additional policies specified using NovaApiPolicies get merged with this
policy.
default: false
NovaRestrictLiveMigrationRole:
description: |
Name of the user role which gets set to limit live migration when
NovaRestrictLiveMigration is enabled.
default: 'live-migration'
type: string
NovaShowHostStatus:
type: string
description: |
Allow overriding API policies to access the compute host status in the
requested Nova server details. The default value 'hidden' allows only admins to
access it. Setting it to 'all' ('unknown-only') without additional fine-grained
tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
to the system/project readers.
default: 'hidden'
constraints:
- allowed_values: ['all', 'unknown-only', 'hidden']
NovaApiHostStatusPolicy:
description: |
A custom API policy for os_compute_api:servers:show:host_status and
os_compute_api:servers:show:host_status:unknown-only.
These rules, or roles, replace the admins-only policies based on the given
NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
whenever a heartbeat was not received within the configured threshold, and
'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
Additional policies specified using NovaApiPolicies get merged with this
policy.
# TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
default: 'role:reader'
type: string
NovaOVSDBConnection:
type: string
description: OVS DB connection string to used by Nova
default: ''
tags:
- role_specific
NovaSyncPowerStateInterval:
type: number
description:
Interval to sync power states between the database and the hypervisor. Set
to -1 to disable. Setting this to 0 will run at the default rate(60)
defined in oslo.service.
default: 600
RpcUseSSL:
default: false
description: >
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
NovaAdditionalCell:
default: false
description: Whether this is an cell additional to the default cell.
type: boolean
NovaCrossAZAttach:
default: true
description:
Whether instances can attach cinder volumes from a different availability zone.
type: boolean
NovaRpcResponseTimeout:
default: 60
description: Nova's RPC response timeout, in seconds.
type: number
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
compute_upgrade_level_set:
not: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
resources:
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- nova::ovsdb_connection: NovaOVSDBConnection
- values: {get_param: [RoleParameters]}
- values:
NovaOVSDBConnection: {get_param: NovaOVSDBConnection}
outputs:
role_data:
description: Role data for the Nova base service.
value:
service_name: nova_base
config_settings:
map_merge:
- nova::my_ip:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
nova::keystone::service_user::send_service_user_token: true
nova::keystone::service_user::project_name: 'service'
nova::keystone::service_user::password: {get_param: NovaPassword}
nova::keystone::service_user::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::keystone::service_user::region_name: {get_param: KeystoneRegion}
nova::placement::project_name: 'service'
nova::placement::password: {get_param: PlacementPassword}
nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::placement::region_name: {get_param: KeystoneRegion}
nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
nova::logging::debug:
if:
- {get_param: NovaDebug}
- true
- {get_param: Debug}
nova::purge_config: {get_param: EnableConfigPurge}
nova::network::neutron::project_name: 'service'
nova::network::neutron::username: 'neutron'
nova::network::neutron::region_name: {get_param: KeystoneRegion}
nova::dhcp_domain: ''
nova::network::neutron::password: {get_param: NeutronPassword}
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
nova::network::neutron::valid_interfaces: 'internal'
nova::glance::valid_interfaces: 'internal'
nova::rabbit_heartbeat_timeout_threshold: 60
nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL'
nova::cinder::os_region_name: {get_param: KeystoneRegion}
# NOTE(tkajinam): Make sure the default (services) is overridden
nova::cinder::project_name: 'service'
nova::host: "%{lookup('fqdn_canonical')}"
nova::notify_on_state_change: 'vm_and_task_state'
nova::notification_driver: {get_param: NotificationDriver}
nova::notification_format: 'unversioned'
nova::network::neutron::auth_type: 'v3password'
nova::db::database_db_max_retries: -1
nova::db::database_max_retries: -1
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
nova::compute::sync_power_state_interval: {get_param: NovaSyncPowerStateInterval}
nova_is_additional_cell: {get_param: NovaAdditionalCell}
nova::cinder::cross_az_attach: {get_param: NovaCrossAZAttach}
nova::cache::enabled: {get_param: EnableCache}
nova::cache::tls_enabled: {get_param: MemcachedTLS}
nova::rpc_response_timeout: {get_param: NovaRpcResponseTimeout}
nova::upgrade_level_compute:
if:
- compute_upgrade_level_set
- {get_param: UpgradeLevelNovaCompute}
nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
nova::policy::purge_config: true
nova::policy::policies: &nova_policies
map_merge:
- {get_param: NovaApiPolicies}
- if:
- {get_param: NovaRestrictLiveMigration}
- limit_live_migration:
key: 'os_compute_api:os-migrate-server:migrate_live'
value:
str_replace:
template: 'role:LMROLENAME'
params:
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'all'
- nova-host_status:
key: 'os_compute_api:servers:show:host_status'
value: {get_param: NovaApiHostStatusPolicy}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'unknown-only'
- nova-host_status_unknown_only:
key: 'os_compute_api:servers:show:host_status:unknown-only'
value: {get_param: NovaApiHostStatusPolicy}
- {}
- if:
- tls_cache_enabled
- nova::cache::backend: 'dogpile.cache.pymemcache'
nova::cache::enable_socket_keepalive: true
- nova::cache::backend: 'dogpile.cache.memcached'
- get_attr: [RoleParametersValue, value]
service_config_settings:
rabbitmq:
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
horizon:
horizon::policy::nova_policies: *nova_policies
View Git Blame Copy Permalink