1 heat_template_version: pike
4 Libvirt service configured with Puppet
9 description: Dictionary packing service data
13 description: Mapping of service_name -> network name. Typically set
14 via parameter_defaults in the resource registry. This
15 mapping overrides those in ServiceNetMapDefaults.
22 description: Role name on which the service is applied
26 description: Parameters specific to the role
30 description: Mapping of service endpoint -> protocol. Typically set
31 via parameter_defaults in the resource registry.
37 description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
42 description: The Ceph cluster FSID. Must be a UUID.
43 CinderEnableRbdBackend:
45 description: Whether to enable or not the Rbd backend for Cinder
47 NovaComputeLibvirtType:
50 LibvirtEnabledPerfEvents:
51 type: comma_delimited_list
53 description: This is a performance event list which could be used as monitor.
54 For example - ``enabled_perf_events = cmt, mbml, mbmt``
55 The supported events list can be found in
56 https://libvirt.org/html/libvirt-libvirt-domain.html ,
57 which you may need to search key words ``VIR_PERF_PARAM_*``
58 MonitoringSubscriptionNovaLibvirt:
59 default: 'overcloud-nova-libvirt'
64 UseTLSTransportForLiveMigration:
67 description: If set to true and if EnableInternalTLS is enabled, it will
68 set the libvirt URI's transport to tls and configure the
69 relevant keys for libvirt.
71 default: '/etc/ipa/ca.crt'
73 description: Specifies the default CA cert to use if TLS is used for
74 services in the internal network.
78 description: This specifies the CA certificate to use for TLS in libvirt.
79 This file will be symlinked to the default CA path in libvirt,
80 which is /etc/pki/CA/cacert.pem. Note that due to limitations
81 GNU TLS, which is the TLS backend for libvirt, the file must
82 be less than 65K (so we can't use the system's CA bundle).
83 This parameter should be used if the default (which comes from
84 the InternalTLSCAFile parameter) is not desired. The current
85 default reflects TripleO's default CA, which is FreeIPA.
86 It will only be used if internal TLS is enabled.
90 SSH key for migration.
91 Expects a dictionary with keys 'public_key' and 'private_key'.
92 Values should be identical to SSH public/private key files.
98 description: Target port for migration over ssh
103 use_tls_for_live_migration:
106 - {get_param: EnableInternalTLS}
109 - {get_param: UseTLSTransportForLiveMigration}
112 libvirt_specific_ca_unset:
114 - {get_param: LibvirtCACert}
119 type: ./nova-base.yaml
121 ServiceData: {get_param: ServiceData}
122 ServiceNetMap: {get_param: ServiceNetMap}
123 DefaultPasswords: {get_param: DefaultPasswords}
124 EndpointMap: {get_param: EndpointMap}
125 RoleName: {get_param: RoleName}
126 RoleParameters: {get_param: RoleParameters}
130 description: Role data for the Libvirt service.
132 service_name: nova_libvirt
133 monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
136 - get_attr: [NovaBase, role_data, config_settings]
137 # we include ::nova::compute::libvirt::services in nova/libvirt profile
138 - nova::compute::libvirt::manage_libvirt_services: false
139 # we manage migration in nova common puppet profile
140 nova::compute::libvirt::migration_support: false
141 nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
142 nova::compute::rbd::rbd_keyring:
146 - {get_param: CephClientUserName}
147 nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
148 nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
149 tripleo::profile::base::nova::migration::client::libvirt_enabled: true
150 tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
151 tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
152 nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
153 nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
154 nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
155 nova::compute::libvirt::qemu::configure_qemu: true
156 nova::compute::libvirt::qemu::max_files: 32768
157 nova::compute::libvirt::qemu::max_processes: 131072
158 nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
159 rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
160 tripleo.nova_libvirt.firewall_rules:
169 - use_tls_for_live_migration
171 generate_service_certificates: true
172 tripleo::profile::base::nova::migration::client::libvirt_tls: true
173 nova::migration::libvirt::live_migration_inbound_addr:
176 "%{hiera('fqdn_$NETWORK')}"
178 $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
179 tripleo::certmonger::ca::libvirt::origin_ca_pem:
181 - libvirt_specific_ca_unset
182 - get_param: InternalTLSCAFile
183 - get_param: LibvirtCACert
184 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
185 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
186 libvirt_certificates_specs:
188 service_certificate: '/etc/pki/libvirt/servercert.pem'
189 service_key: '/etc/pki/libvirt/private/serverkey.pem'
192 template: "%{hiera('fqdn_NETWORK')}"
194 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
197 template: "libvirt/%{hiera('fqdn_NETWORK')}"
199 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
201 service_certificate: '/etc/pki/libvirt/clientcert.pem'
202 service_key: '/etc/pki/libvirt/private/clientkey.pem'
205 template: "%{hiera('fqdn_NETWORK')}"
207 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
210 template: "libvirt/%{hiera('fqdn_NETWORK')}"
212 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
215 include tripleo::profile::base::nova::libvirt
218 - use_tls_for_live_migration
221 network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}