Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Change flat network name for nosdn fdio scenario
[apex-tripleo-heat-templates.git] / puppet / services / nova-libvirt.yaml
1 heat_template_version: pike
2
3 description: >
4   Libvirt service configured with Puppet
5
6 parameters:
7   ServiceData:
8     default: {}
9     description: Dictionary packing service data
10     type: json
11   ServiceNetMap:
12     default: {}
13     description: Mapping of service_name -> network name. Typically set
14                  via parameter_defaults in the resource registry.  This
15                  mapping overrides those in ServiceNetMapDefaults.
16     type: json
17   DefaultPasswords:
18     default: {}
19     type: json
20   RoleName:
21     default: ''
22     description: Role name on which the service is applied
23     type: string
24   RoleParameters:
25     default: {}
26     description: Parameters specific to the role
27     type: json
28   EndpointMap:
29     default: {}
30     description: Mapping of service endpoint -> protocol. Typically set
31                  via parameter_defaults in the resource registry.
32     type: json
33   CephClientUserName:
34     default: openstack
35     type: string
36   CephClientKey:
37     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
38     type: string
39     hidden: true
40   CephClusterFSID:
41     type: string
42     description: The Ceph cluster FSID. Must be a UUID.
43   CinderEnableRbdBackend:
44     default: false
45     description: Whether to enable or not the Rbd backend for Cinder
46     type: boolean
47   NovaComputeLibvirtType:
48     type: string
49     default: kvm
50   LibvirtEnabledPerfEvents:
51     type: comma_delimited_list
52     default: []
53     description: This is a performance event list which could be used as monitor.
54                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
55                  The supported events list can be found in
56                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
57                  which you may need to search key words ``VIR_PERF_PARAM_*``
58   MonitoringSubscriptionNovaLibvirt:
59     default: 'overcloud-nova-libvirt'
60     type: string
61   EnableInternalTLS:
62     type: boolean
63     default: false
64   UseTLSTransportForLiveMigration:
65     type: boolean
66     default: true
67     description: If set to true and if EnableInternalTLS is enabled, it will
68                  set the libvirt URI's transport to tls and configure the
69                  relevant keys for libvirt. NOTE. this is currently being
70                  ignored and TLS for libvirtd is always disabled for now.
71   InternalTLSCAFile:
72     default: '/etc/ipa/ca.crt'
73     type: string
74     description: Specifies the default CA cert to use if TLS is used for
75                  services in the internal network.
76   LibvirtCACert:
77     type: string
78     default: ''
79     description: This specifies the CA certificate to use for TLS in libvirt.
80                  This file will be symlinked to the default CA path in libvirt,
81                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
82                  GNU TLS, which is the TLS backend for libvirt, the file must
83                  be less than 65K (so we can't use the system's CA bundle).
84                  This parameter should be used if the default (which comes from
85                  the InternalTLSCAFile parameter) is not desired. The current
86                  default reflects TripleO's default CA, which is FreeIPA.
87                  It will only be used if internal TLS is enabled.
88   MigrationSshKey:
89     type: json
90     description: >
91       SSH key for migration.
92       Expects a dictionary with keys 'public_key' and 'private_key'.
93       Values should be identical to SSH public/private key files.
94     default:
95       public_key: ''
96       private_key: ''
97   MigrationSshPort:
98     default: 2022
99     description: Target port for migration over ssh
100     type: number
101
102 conditions:
103
104   use_tls_for_live_migration: false
105   # and:
106   # - equals:
107   #   - {get_param: EnableInternalTLS}
108   #   - true
109   # - equals:
110   #   - {get_param: UseTLSTransportForLiveMigration}
111   #   - true
112
113   libvirt_specific_ca_unset:
114     equals:
115       - {get_param: LibvirtCACert}
116       - ''
117
118 resources:
119   NovaBase:
120     type: ./nova-base.yaml
121     properties:
122       ServiceData: {get_param: ServiceData}
123       ServiceNetMap: {get_param: ServiceNetMap}
124       DefaultPasswords: {get_param: DefaultPasswords}
125       EndpointMap: {get_param: EndpointMap}
126       RoleName: {get_param: RoleName}
127       RoleParameters: {get_param: RoleParameters}
128
129 outputs:
130   role_data:
131     description: Role data for the Libvirt service.
132     value:
133       service_name: nova_libvirt
134       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
135       config_settings:
136         map_merge:
137           - get_attr: [NovaBase, role_data, config_settings]
138           # we include ::nova::compute::libvirt::services in nova/libvirt profile
139           - nova::compute::libvirt::manage_libvirt_services: false
140           # we manage migration in nova common puppet profile
141             nova::compute::libvirt::migration_support: false
142             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
143             nova::compute::rbd::rbd_keyring:
144               list_join:
145               - '.'
146               - - 'client'
147                 - {get_param: CephClientUserName}
148             nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
149             nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
150             tripleo::profile::base::nova::migration::client::libvirt_enabled: true
151             tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
152             tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
153             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
154             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
155             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
156             nova::compute::libvirt::qemu::configure_qemu: true
157             nova::compute::libvirt::qemu::max_files: 32768
158             nova::compute::libvirt::qemu::max_processes: 131072
159             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
160             rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
161             tripleo.nova_libvirt.firewall_rules:
162               '200 nova_libvirt':
163                 dport:
164                   - 16514
165                   - '49152-49215'
166                   - '5900-6923'
167
168           -
169             if:
170               - use_tls_for_live_migration
171               -
172                 generate_service_certificates: true
173                 tripleo::profile::base::nova::migration::client::libvirt_tls: true
174                 nova::migration::libvirt::listen_address:
175                   get_param: [ServiceNetMap, NovaLibvirtNetwork]
176                 nova::migration::libvirt::live_migration_inbound_addr:
177                   str_replace:
178                     template:
179                       "%{hiera('fqdn_$NETWORK')}"
180                     params:
181                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
182                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
183                   if:
184                     - libvirt_specific_ca_unset
185                     - get_param: InternalTLSCAFile
186                     - get_param: LibvirtCACert
187                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
188                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
189                 libvirt_certificates_specs:
190                   libvirt-server-cert:
191                     service_certificate: '/etc/pki/libvirt/servercert.pem'
192                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
193                     hostname:
194                       str_replace:
195                         template: "%{hiera('fqdn_NETWORK')}"
196                         params:
197                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
198                     principal:
199                       str_replace:
200                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
201                         params:
202                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
203                   libvirt-client-cert:
204                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
205                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
206                     hostname:
207                       str_replace:
208                         template: "%{hiera('fqdn_NETWORK')}"
209                         params:
210                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
211                     principal:
212                       str_replace:
213                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
214                         params:
215                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
216               - {}
217       step_config: |
218         include tripleo::profile::base::nova::libvirt
219       metadata_settings:
220         if:
221           - use_tls_for_live_migration
222           -
223             - service: libvirt
224               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
225               type: node
226           - null