Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Merge "Specify the start count to 0 for the update step loop"
[apex-tripleo-heat-templates.git] / puppet / services / nova-libvirt.yaml
1 heat_template_version: pike
2
3 description: >
4   Libvirt service configured with Puppet
5
6 parameters:
7   ServiceData:
8     default: {}
9     description: Dictionary packing service data
10     type: json
11   ServiceNetMap:
12     default: {}
13     description: Mapping of service_name -> network name. Typically set
14                  via parameter_defaults in the resource registry.  This
15                  mapping overrides those in ServiceNetMapDefaults.
16     type: json
17   DefaultPasswords:
18     default: {}
19     type: json
20   RoleName:
21     default: ''
22     description: Role name on which the service is applied
23     type: string
24   RoleParameters:
25     default: {}
26     description: Parameters specific to the role
27     type: json
28   EndpointMap:
29     default: {}
30     description: Mapping of service endpoint -> protocol. Typically set
31                  via parameter_defaults in the resource registry.
32     type: json
33   CephClientUserName:
34     default: openstack
35     type: string
36   CephClientKey:
37     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
38     type: string
39     hidden: true
40   CephClusterFSID:
41     type: string
42     description: The Ceph cluster FSID. Must be a UUID.
43   CinderEnableRbdBackend:
44     default: false
45     description: Whether to enable or not the Rbd backend for Cinder
46     type: boolean
47   NovaComputeLibvirtType:
48     type: string
49     default: kvm
50   LibvirtEnabledPerfEvents:
51     type: comma_delimited_list
52     default: []
53     description: This is a performance event list which could be used as monitor.
54                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
55                  The supported events list can be found in
56                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
57                  which you may need to search key words ``VIR_PERF_PARAM_*``
58   MonitoringSubscriptionNovaLibvirt:
59     default: 'overcloud-nova-libvirt'
60     type: string
61   EnableInternalTLS:
62     type: boolean
63     default: false
64   UseTLSTransportForLiveMigration:
65     type: boolean
66     default: true
67     description: If set to true and if EnableInternalTLS is enabled, it will
68                  set the libvirt URI's transport to tls and configure the
69                  relevant keys for libvirt.
70   InternalTLSCAFile:
71     default: '/etc/ipa/ca.crt'
72     type: string
73     description: Specifies the default CA cert to use if TLS is used for
74                  services in the internal network.
75   LibvirtCACert:
76     type: string
77     default: ''
78     description: This specifies the CA certificate to use for TLS in libvirt.
79                  This file will be symlinked to the default CA path in libvirt,
80                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
81                  GNU TLS, which is the TLS backend for libvirt, the file must
82                  be less than 65K (so we can't use the system's CA bundle).
83                  This parameter should be used if the default (which comes from
84                  the InternalTLSCAFile parameter) is not desired. The current
85                  default reflects TripleO's default CA, which is FreeIPA.
86                  It will only be used if internal TLS is enabled.
87   MigrationSshKey:
88     type: json
89     description: >
90       SSH key for migration.
91       Expects a dictionary with keys 'public_key' and 'private_key'.
92       Values should be identical to SSH public/private key files.
93     default:
94       public_key: ''
95       private_key: ''
96   MigrationSshPort:
97     default: 22
98     description: Target port for migration over ssh
99     type: number
100
101 conditions:
102
103   use_tls_for_live_migration:
104     and:
105     - equals:
106       - {get_param: EnableInternalTLS}
107       - true
108     - equals:
109       - {get_param: UseTLSTransportForLiveMigration}
110       - true
111
112   libvirt_specific_ca_unset:
113     equals:
114       - {get_param: LibvirtCACert}
115       - ''
116
117 resources:
118   NovaBase:
119     type: ./nova-base.yaml
120     properties:
121       ServiceData: {get_param: ServiceData}
122       ServiceNetMap: {get_param: ServiceNetMap}
123       DefaultPasswords: {get_param: DefaultPasswords}
124       EndpointMap: {get_param: EndpointMap}
125       RoleName: {get_param: RoleName}
126       RoleParameters: {get_param: RoleParameters}
127
128 outputs:
129   role_data:
130     description: Role data for the Libvirt service.
131     value:
132       service_name: nova_libvirt
133       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
134       config_settings:
135         map_merge:
136           - get_attr: [NovaBase, role_data, config_settings]
137           # we include ::nova::compute::libvirt::services in nova/libvirt profile
138           - nova::compute::libvirt::manage_libvirt_services: false
139           # we manage migration in nova common puppet profile
140             nova::compute::libvirt::migration_support: false
141             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
142             nova::compute::rbd::rbd_keyring:
143               list_join:
144               - '.'
145               - - 'client'
146                 - {get_param: CephClientUserName}
147             nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
148             nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
149             tripleo::profile::base::nova::migration::client::libvirt_enabled: true
150             tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
151             tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
152             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
153             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
154             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
155             nova::compute::libvirt::qemu::configure_qemu: true
156             nova::compute::libvirt::qemu::max_files: 32768
157             nova::compute::libvirt::qemu::max_processes: 131072
158             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
159             rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
160             tripleo.nova_libvirt.firewall_rules:
161               '200 nova_libvirt':
162                 dport:
163                   - 16514
164                   - '49152-49215'
165                   - '5900-6923'
166
167           -
168             if:
169               - use_tls_for_live_migration
170               -
171                 generate_service_certificates: true
172                 tripleo::profile::base::nova::migration::client::libvirt_tls: true
173                 nova::migration::libvirt::listen_address:
174                   get_param: [ServiceNetMap, NovaLibvirtNetwork]
175                 nova::migration::libvirt::live_migration_inbound_addr:
176                   str_replace:
177                     template:
178                       "%{hiera('fqdn_$NETWORK')}"
179                     params:
180                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
181                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
182                   if:
183                     - libvirt_specific_ca_unset
184                     - get_param: InternalTLSCAFile
185                     - get_param: LibvirtCACert
186                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
187                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
188                 libvirt_certificates_specs:
189                   libvirt-server-cert:
190                     service_certificate: '/etc/pki/libvirt/servercert.pem'
191                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
192                     hostname:
193                       str_replace:
194                         template: "%{hiera('fqdn_NETWORK')}"
195                         params:
196                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
197                     principal:
198                       str_replace:
199                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
200                         params:
201                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
202                   libvirt-client-cert:
203                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
204                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
205                     hostname:
206                       str_replace:
207                         template: "%{hiera('fqdn_NETWORK')}"
208                         params:
209                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
210                     principal:
211                       str_replace:
212                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
213                         params:
214                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
215               - {}
216       step_config: |
217         include tripleo::profile::base::nova::libvirt
218       metadata_settings:
219         if:
220           - use_tls_for_live_migration
221           -
222             - service: libvirt
223               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
224               type: node
225           - null