puppet/services/nova-libvirt.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   Libvirt service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29   NovaComputeLibvirtType:
  30     type: string
  31     default: kvm
  32   LibvirtEnabledPerfEvents:
  33     type: comma_delimited_list
  34     default: []
  35     description: This is a performance event list which could be used as monitor.
  36                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
  37                  The supported events list can be found in
  38                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
  39                  which you may need to search key words ``VIR_PERF_PARAM_*``
  40   MonitoringSubscriptionNovaLibvirt:
  41     default: 'overcloud-nova-libvirt'
  42     type: string
  43   EnableInternalTLS:
  44     type: boolean
  45     default: false
  46   UseTLSTransportForLiveMigration:
  47     type: boolean
  48     default: true
  49     description: If set to true and if EnableInternalTLS is enabled, it will
  50                  set the libvirt URI's transport to tls and configure the
  51                  relevant keys for libvirt.
  52   InternalTLSCAFile:
  53     default: '/etc/ipa/ca.crt'
  54     type: string
  55     description: Specifies the default CA cert to use if TLS is used for
  56                  services in the internal network.
  57   LibvirtCACert:
  58     type: string
  59     default: ''
  60     description: This specifies the CA certificate to use for TLS in libvirt.
  61                  This file will be symlinked to the default CA path in libvirt,
  62                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
  63                  GNU TLS, which is the TLS backend for libvirt, the file must
  64                  be less than 65K (so we can't use the system's CA bundle).
  65                  This parameter should be used if the default (which comes from
  66                  the InternalTLSCAFile parameter) is not desired. The current
  67                  default reflects TripleO's default CA, which is FreeIPA.
  68                  It will only be used if internal TLS is enabled.
  69
  70 conditions:
  71
  72   use_tls_for_live_migration:
  73     and:
  74     - equals:
  75       - {get_param: EnableInternalTLS}
  76       - true
  77     - equals:
  78       - {get_param: UseTLSTransportForLiveMigration}
  79       - true
  80
  81   libvirt_specific_ca_unset:
  82     equals:
  83       - {get_param: LibvirtCACert}
  84       - ''
  85
  86 resources:
  87   NovaBase:
  88     type: ./nova-base.yaml
  89     properties:
  90       ServiceNetMap: {get_param: ServiceNetMap}
  91       DefaultPasswords: {get_param: DefaultPasswords}
  92       EndpointMap: {get_param: EndpointMap}
  93       RoleName: {get_param: RoleName}
  94       RoleParameters: {get_param: RoleParameters}
  95
  96 outputs:
  97   role_data:
  98     description: Role data for the Libvirt service.
  99     value:
 100       service_name: nova_libvirt
 101       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
 102       config_settings:
 103         map_merge:
 104           - get_attr: [NovaBase, role_data, config_settings]
 105           # we include ::nova::compute::libvirt::services in nova/libvirt profile
 106           - nova::compute::libvirt::manage_libvirt_services: false
 107           # we manage migration in nova common puppet profile
 108             nova::compute::libvirt::migration_support: false
 109             tripleo::profile::base::nova::manage_migration: true
 110             tripleo::profile::base::nova::libvirt_enabled: true
 111             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 112             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 113             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
 114             nova::compute::libvirt::qemu::configure_qemu: true
 115             nova::compute::libvirt::qemu::max_files: 32768
 116             nova::compute::libvirt::qemu::max_processes: 131072
 117             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 118             tripleo.nova_libvirt.firewall_rules:
 119               '200 nova_libvirt':
 120                 dport:
 121                   - 16514
 122                   - '49152-49215'
 123                   - '5900-5999'
 124
 125           -
 126             if:
 127               - use_tls_for_live_migration
 128               -
 129                 generate_service_certificates: true
 130                 tripleo::profile::base::nova::libvirt_tls: true
 131                 nova::migration::libvirt::live_migration_inbound_addr:
 132                   str_replace:
 133                     template:
 134                       "%{hiera('fqdn_$NETWORK')}"
 135                     params:
 136                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 137                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
 138                   if:
 139                     - libvirt_specific_ca_unset
 140                     - get_param: InternalTLSCAFile
 141                     - get_param: LibvirtCACert
 142                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
 143                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
 144                 libvirt_certificates_specs:
 145                   libvirt-server-cert:
 146                     service_certificate: '/etc/pki/libvirt/servercert.pem'
 147                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
 148                     hostname:
 149                       str_replace:
 150                         template: "%{hiera('fqdn_NETWORK')}"
 151                         params:
 152                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 153                     principal:
 154                       str_replace:
 155                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 156                         params:
 157                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 158                   libvirt-client-cert:
 159                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
 160                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
 161                     hostname:
 162                       str_replace:
 163                         template: "%{hiera('fqdn_NETWORK')}"
 164                         params:
 165                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 166                     principal:
 167                       str_replace:
 168                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 169                         params:
 170                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 171               - {}
 172       step_config: |
 173         include tripleo::profile::base::nova::libvirt
 174       metadata_settings:
 175         if:
 176           - use_tls_for_live_migration
 177           -
 178             - service: libvirt
 179               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 180               type: node
 181           - null