304 lines
12 KiB
YAML
304 lines
12 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack Nova base service. Shared for all Nova services.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
NotificationDriver:
|
|
type: comma_delimited_list
|
|
default: 'noop'
|
|
description: Driver or drivers to handle sending notifications.
|
|
NovaPassword:
|
|
description: The password for the nova service and db account
|
|
type: string
|
|
hidden: true
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
PlacementPassword:
|
|
description: The password for the Placement service and db account
|
|
type: string
|
|
hidden: true
|
|
PlacementAPIInterface:
|
|
type: string
|
|
description: >
|
|
Endpoint interface to be used for the placement API.
|
|
default: 'internal'
|
|
NovaOVSBridge:
|
|
default: 'br-int'
|
|
description: Name of integration bridge used by Open vSwitch
|
|
type: string
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
NovaDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Nova services.
|
|
type: boolean
|
|
EnableCache:
|
|
description: Enable caching with memcached
|
|
type: boolean
|
|
default: true
|
|
EnableConfigPurge:
|
|
type: boolean
|
|
default: false
|
|
description: >
|
|
Remove configuration that is not generated by TripleO. Used to avoid
|
|
configuration remnants after upgrades.
|
|
UpgradeLevelNovaCompute:
|
|
type: string
|
|
description: Nova Compute upgrade level
|
|
default: ''
|
|
NovaApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Nova API.
|
|
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
EnforceSecureRbac:
|
|
type: boolean
|
|
default: false
|
|
description: >-
|
|
Setting this option to True will configure each OpenStack service to
|
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
|
of RBAC personas across OpenStack services that include support for
|
|
system and project scope, as well as keystone's default roles, admin,
|
|
member, and reader. Do not enable this functionality until all services in
|
|
your deployment actually support secure RBAC.
|
|
NovaRestrictLiveMigration:
|
|
type: boolean
|
|
description: |
|
|
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
|
|
api policy to the NovaLiveMigrationRole role. This can be used to
|
|
disallow the default admin role use live migration.
|
|
Additional policies specified using NovaApiPolicies get merged with this
|
|
policy.
|
|
default: false
|
|
NovaRestrictLiveMigrationRole:
|
|
description: |
|
|
Name of the user role which gets set to limit live migration when
|
|
NovaRestrictLiveMigration is enabled.
|
|
default: 'live-migration'
|
|
type: string
|
|
NovaShowHostStatus:
|
|
type: string
|
|
description: |
|
|
Allow overriding API policies to access the compute host status in the
|
|
requested Nova server details. The default value 'hidden' allows only admins to
|
|
access it. Setting it to 'all' ('unknown-only') without additional fine-grained
|
|
tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
|
|
to the system/project readers.
|
|
default: 'hidden'
|
|
constraints:
|
|
- allowed_values: ['all', 'unknown-only', 'hidden']
|
|
NovaApiHostStatusPolicy:
|
|
description: |
|
|
A custom API policy for os_compute_api:servers:show:host_status and
|
|
os_compute_api:servers:show:host_status:unknown-only.
|
|
These rules, or roles, replace the admins-only policies based on the given
|
|
NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
|
|
whenever a heartbeat was not received within the configured threshold, and
|
|
'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
|
|
details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
|
|
Additional policies specified using NovaApiPolicies get merged with this
|
|
policy.
|
|
# TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
|
|
default: 'role:reader'
|
|
type: string
|
|
NovaOVSDBConnection:
|
|
type: string
|
|
description: OVS DB connection string to used by Nova
|
|
default: ''
|
|
tags:
|
|
- role_specific
|
|
NovaSyncPowerStateInterval:
|
|
type: number
|
|
description:
|
|
Interval to sync power states between the database and the hypervisor. Set
|
|
to -1 to disable. Setting this to 0 will run at the default rate(60)
|
|
defined in oslo.service.
|
|
default: 600
|
|
RpcUseSSL:
|
|
default: false
|
|
description: >
|
|
Messaging client subscriber parameter to specify
|
|
an SSL connection to the messaging host.
|
|
type: string
|
|
NovaAdditionalCell:
|
|
default: false
|
|
description: Whether this is an cell additional to the default cell.
|
|
type: boolean
|
|
NovaCrossAZAttach:
|
|
default: true
|
|
description:
|
|
Whether instances can attach cinder volumes from a different availability zone.
|
|
type: boolean
|
|
NovaRpcResponseTimeout:
|
|
default: 60
|
|
description: Nova's RPC response timeout, in seconds.
|
|
type: number
|
|
MemcachedTLS:
|
|
default: false
|
|
description: Set to True to enable TLS on Memcached service.
|
|
Because not all services support Memcached TLS, during the
|
|
migration period, Memcached will listen on 2 ports - on the
|
|
port set with MemcachedPort parameter (above) and on 11211,
|
|
without TLS.
|
|
type: boolean
|
|
|
|
conditions:
|
|
compute_upgrade_level_set:
|
|
not: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
|
tls_cache_enabled:
|
|
and:
|
|
- {get_param: EnableCache}
|
|
- {get_param: MemcachedTLS}
|
|
|
|
resources:
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- nova::ovsdb_connection: NovaOVSDBConnection
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
NovaOVSDBConnection: {get_param: NovaOVSDBConnection}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova base service.
|
|
value:
|
|
service_name: nova_base
|
|
config_settings:
|
|
map_merge:
|
|
- nova::my_ip:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
|
|
nova::keystone::service_user::send_service_user_token: true
|
|
nova::keystone::service_user::project_name: 'service'
|
|
nova::keystone::service_user::password: {get_param: NovaPassword}
|
|
nova::keystone::service_user::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::keystone::service_user::region_name: {get_param: KeystoneRegion}
|
|
nova::placement::project_name: 'service'
|
|
nova::placement::password: {get_param: PlacementPassword}
|
|
nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
nova::placement::region_name: {get_param: KeystoneRegion}
|
|
nova::placement::valid_interfaces: {get_param: PlacementAPIInterface}
|
|
nova::logging::debug:
|
|
if:
|
|
- {get_param: NovaDebug}
|
|
- true
|
|
- {get_param: Debug}
|
|
nova::purge_config: {get_param: EnableConfigPurge}
|
|
nova::network::neutron::project_name: 'service'
|
|
nova::network::neutron::username: 'neutron'
|
|
nova::network::neutron::region_name: {get_param: KeystoneRegion}
|
|
nova::dhcp_domain: ''
|
|
nova::network::neutron::password: {get_param: NeutronPassword}
|
|
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
|
nova::network::neutron::valid_interfaces: 'internal'
|
|
nova::glance::valid_interfaces: 'internal'
|
|
nova::rabbit_heartbeat_timeout_threshold: 60
|
|
nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL'
|
|
nova::cinder::os_region_name: {get_param: KeystoneRegion}
|
|
# NOTE(tkajinam): Make sure the default (services) is overridden
|
|
nova::cinder::project_name: 'service'
|
|
nova::host: "%{lookup('fqdn_canonical')}"
|
|
nova::notify_on_state_change: 'vm_and_task_state'
|
|
nova::notification_driver: {get_param: NotificationDriver}
|
|
nova::notification_format: 'unversioned'
|
|
nova::network::neutron::auth_type: 'v3password'
|
|
nova::db::database_db_max_retries: -1
|
|
nova::db::database_max_retries: -1
|
|
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
|
nova::compute::sync_power_state_interval: {get_param: NovaSyncPowerStateInterval}
|
|
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
|
nova::cinder::cross_az_attach: {get_param: NovaCrossAZAttach}
|
|
nova::cache::enabled: {get_param: EnableCache}
|
|
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
|
nova::rpc_response_timeout: {get_param: NovaRpcResponseTimeout}
|
|
nova::upgrade_level_compute:
|
|
if:
|
|
- compute_upgrade_level_set
|
|
- {get_param: UpgradeLevelNovaCompute}
|
|
nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
|
|
nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
|
|
nova::policy::purge_config: true
|
|
nova::policy::policies: &nova_policies
|
|
map_merge:
|
|
- {get_param: NovaApiPolicies}
|
|
- if:
|
|
- {get_param: NovaRestrictLiveMigration}
|
|
- limit_live_migration:
|
|
key: 'os_compute_api:os-migrate-server:migrate_live'
|
|
value:
|
|
str_replace:
|
|
template: 'role:LMROLENAME'
|
|
params:
|
|
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
|
|
- {}
|
|
- if:
|
|
- equals:
|
|
- {get_param: NovaShowHostStatus}
|
|
- 'all'
|
|
- nova-host_status:
|
|
key: 'os_compute_api:servers:show:host_status'
|
|
value: {get_param: NovaApiHostStatusPolicy}
|
|
- {}
|
|
- if:
|
|
- equals:
|
|
- {get_param: NovaShowHostStatus}
|
|
- 'unknown-only'
|
|
- nova-host_status_unknown_only:
|
|
key: 'os_compute_api:servers:show:host_status:unknown-only'
|
|
value: {get_param: NovaApiHostStatusPolicy}
|
|
- {}
|
|
- if:
|
|
- tls_cache_enabled
|
|
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
|
nova::cache::enable_socket_keepalive: true
|
|
- nova::cache::backend: 'dogpile.cache.memcached'
|
|
- get_attr: [RoleParametersValue, value]
|
|
service_config_settings:
|
|
rabbitmq:
|
|
nova::rabbit_use_ssl: {get_param: RpcUseSSL}
|
|
horizon:
|
|
horizon::policy::nova_policies: *nova_policies
|