puppet/services/nova-libvirt.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   Libvirt service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   EndpointMap:
  17     default: {}
  18     description: Mapping of service endpoint -> protocol. Typically set
  19                  via parameter_defaults in the resource registry.
  20     type: json
  21   NovaComputeLibvirtType:
  22     type: string
  23     default: kvm
  24   LibvirtEnabledPerfEvents:
  25     type: comma_delimited_list
  26     default: []
  27     description: This is a performance event list which could be used as monitor.
  28                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
  29                  The supported events list can be found in
  30                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
  31                  which you may need to search key words ``VIR_PERF_PARAM_*``
  32   MonitoringSubscriptionNovaLibvirt:
  33     default: 'overcloud-nova-libvirt'
  34     type: string
  35   EnableInternalTLS:
  36     type: boolean
  37     default: false
  38   UseTLSTransportForLiveMigration:
  39     type: boolean
  40     default: true
  41     description: If set to true and if EnableInternalTLS is enabled, it will
  42                  set the libvirt URI's transport to tls and configure the
  43                  relevant keys for libvirt.
  44   InternalTLSCAFile:
  45     default: '/etc/ipa/ca.crt'
  46     type: string
  47     description: Specifies the default CA cert to use if TLS is used for
  48                  services in the internal network.
  49   LibvirtCACert:
  50     type: string
  51     default: ''
  52     description: This specifies the CA certificate to use for TLS in libvirt.
  53                  This file will be symlinked to the default CA path in libvirt,
  54                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
  55                  GNU TLS, which is the TLS backend for libvirt, the file must
  56                  be less than 65K (so we can't use the system's CA bundle).
  57                  This parameter should be used if the default (which comes from
  58                  the InternalTLSCAFile parameter) is not desired. The current
  59                  default reflects TripleO's default CA, which is FreeIPA.
  60                  It will only be used if internal TLS is enabled.
  61
  62 conditions:
  63
  64   use_tls_for_live_migration:
  65     and:
  66     - equals:
  67       - {get_param: EnableInternalTLS}
  68       - true
  69     - equals:
  70       - {get_param: UseTLSTransportForLiveMigration}
  71       - true
  72
  73   libvirt_specific_ca_unset:
  74     equals:
  75       - {get_param: LibvirtCACert}
  76       - ''
  77
  78 resources:
  79   NovaBase:
  80     type: ./nova-base.yaml
  81     properties:
  82       ServiceNetMap: {get_param: ServiceNetMap}
  83       DefaultPasswords: {get_param: DefaultPasswords}
  84       EndpointMap: {get_param: EndpointMap}
  85
  86 outputs:
  87   role_data:
  88     description: Role data for the Libvirt service.
  89     value:
  90       service_name: nova_libvirt
  91       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
  92       config_settings:
  93         map_merge:
  94           - get_attr: [NovaBase, role_data, config_settings]
  95           # we include ::nova::compute::libvirt::services in nova/libvirt profile
  96           - nova::compute::libvirt::manage_libvirt_services: false
  97           # we manage migration in nova common puppet profile
  98             nova::compute::libvirt::migration_support: false
  99             tripleo::profile::base::nova::manage_migration: true
 100             tripleo::profile::base::nova::libvirt_enabled: true
 101             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 102             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 103             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
 104             nova::compute::libvirt::qemu::configure_qemu: true
 105             nova::compute::libvirt::qemu::max_files: 32768
 106             nova::compute::libvirt::qemu::max_processes: 131072
 107             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 108             tripleo.nova_libvirt.firewall_rules:
 109               '200 nova_libvirt':
 110                 dport:
 111                   - 16514
 112                   - '49152-49215'
 113                   - '5900-5999'
 114
 115           -
 116             if:
 117               - use_tls_for_live_migration
 118               -
 119                 generate_service_certificates: true
 120                 tripleo::profile::base::nova::libvirt_tls: true
 121                 nova::migration::libvirt::live_migration_inbound_addr:
 122                   str_replace:
 123                     template:
 124                       "%{hiera('fqdn_$NETWORK')}"
 125                     params:
 126                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 127                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
 128                   if:
 129                     - libvirt_specific_ca_unset
 130                     - get_param: InternalTLSCAFile
 131                     - get_param: LibvirtCACert
 132                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
 133                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
 134                 libvirt_certificates_specs:
 135                   libvirt-server-cert:
 136                     service_certificate: '/etc/pki/libvirt/servercert.pem'
 137                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
 138                     hostname:
 139                       str_replace:
 140                         template: "%{hiera('fqdn_NETWORK')}"
 141                         params:
 142                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 143                     principal:
 144                       str_replace:
 145                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 146                         params:
 147                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 148                   libvirt-client-cert:
 149                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
 150                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
 151                     hostname:
 152                       str_replace:
 153                         template: "%{hiera('fqdn_NETWORK')}"
 154                         params:
 155                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 156                     principal:
 157                       str_replace:
 158                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 159                         params:
 160                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 161               - {}
 162       step_config: |
 163         include tripleo::profile::base::nova::libvirt
 164       metadata_settings:
 165         if:
 166           - use_tls_for_live_migration
 167           -
 168             - service: libvirt
 169               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 170               type: node
 171           - null