puppet/services/nova-libvirt.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Libvirt service configured with Puppet
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33   CephClientUserName:
  34     default: openstack
  35     type: string
  36   CephClientKey:
  37     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
  38     type: string
  39     hidden: true
  40   CephClusterFSID:
  41     type: string
  42     description: The Ceph cluster FSID. Must be a UUID.
  43   CinderEnableRbdBackend:
  44     default: false
  45     description: Whether to enable or not the Rbd backend for Cinder
  46     type: boolean
  47   NovaComputeLibvirtType:
  48     type: string
  49     default: kvm
  50   LibvirtEnabledPerfEvents:
  51     type: comma_delimited_list
  52     default: []
  53     description: This is a performance event list which could be used as monitor.
  54                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
  55                  The supported events list can be found in
  56                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
  57                  which you may need to search key words ``VIR_PERF_PARAM_*``
  58   MonitoringSubscriptionNovaLibvirt:
  59     default: 'overcloud-nova-libvirt'
  60     type: string
  61   EnableInternalTLS:
  62     type: boolean
  63     default: false
  64   UseTLSTransportForLiveMigration:
  65     type: boolean
  66     default: true
  67     description: If set to true and if EnableInternalTLS is enabled, it will
  68                  set the libvirt URI's transport to tls and configure the
  69                  relevant keys for libvirt.
  70   InternalTLSCAFile:
  71     default: '/etc/ipa/ca.crt'
  72     type: string
  73     description: Specifies the default CA cert to use if TLS is used for
  74                  services in the internal network.
  75   LibvirtCACert:
  76     type: string
  77     default: ''
  78     description: This specifies the CA certificate to use for TLS in libvirt.
  79                  This file will be symlinked to the default CA path in libvirt,
  80                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
  81                  GNU TLS, which is the TLS backend for libvirt, the file must
  82                  be less than 65K (so we can't use the system's CA bundle).
  83                  This parameter should be used if the default (which comes from
  84                  the InternalTLSCAFile parameter) is not desired. The current
  85                  default reflects TripleO's default CA, which is FreeIPA.
  86                  It will only be used if internal TLS is enabled.
  87
  88 conditions:
  89
  90   use_tls_for_live_migration:
  91     and:
  92     - equals:
  93       - {get_param: EnableInternalTLS}
  94       - true
  95     - equals:
  96       - {get_param: UseTLSTransportForLiveMigration}
  97       - true
  98
  99   libvirt_specific_ca_unset:
 100     equals:
 101       - {get_param: LibvirtCACert}
 102       - ''
 103
 104 resources:
 105   NovaBase:
 106     type: ./nova-base.yaml
 107     properties:
 108       ServiceData: {get_param: ServiceData}
 109       ServiceNetMap: {get_param: ServiceNetMap}
 110       DefaultPasswords: {get_param: DefaultPasswords}
 111       EndpointMap: {get_param: EndpointMap}
 112       RoleName: {get_param: RoleName}
 113       RoleParameters: {get_param: RoleParameters}
 114
 115 outputs:
 116   role_data:
 117     description: Role data for the Libvirt service.
 118     value:
 119       service_name: nova_libvirt
 120       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
 121       config_settings:
 122         map_merge:
 123           - get_attr: [NovaBase, role_data, config_settings]
 124           # we include ::nova::compute::libvirt::services in nova/libvirt profile
 125           - nova::compute::libvirt::manage_libvirt_services: false
 126           # we manage migration in nova common puppet profile
 127             nova::compute::libvirt::migration_support: false
 128             tripleo::profile::base::nova::manage_migration: true
 129             tripleo::profile::base::nova::libvirt_enabled: true
 130             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
 131             nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
 132             nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
 133             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 134             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 135             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
 136             nova::compute::libvirt::qemu::configure_qemu: true
 137             nova::compute::libvirt::qemu::max_files: 32768
 138             nova::compute::libvirt::qemu::max_processes: 131072
 139             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 140             rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
 141             tripleo.nova_libvirt.firewall_rules:
 142               '200 nova_libvirt':
 143                 dport:
 144                   - 16514
 145                   - '49152-49215'
 146                   - '5900-5999'
 147
 148           -
 149             if:
 150               - use_tls_for_live_migration
 151               -
 152                 generate_service_certificates: true
 153                 tripleo::profile::base::nova::libvirt_tls: true
 154                 nova::migration::libvirt::live_migration_inbound_addr:
 155                   str_replace:
 156                     template:
 157                       "%{hiera('fqdn_$NETWORK')}"
 158                     params:
 159                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 160                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
 161                   if:
 162                     - libvirt_specific_ca_unset
 163                     - get_param: InternalTLSCAFile
 164                     - get_param: LibvirtCACert
 165                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
 166                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
 167                 libvirt_certificates_specs:
 168                   libvirt-server-cert:
 169                     service_certificate: '/etc/pki/libvirt/servercert.pem'
 170                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
 171                     hostname:
 172                       str_replace:
 173                         template: "%{hiera('fqdn_NETWORK')}"
 174                         params:
 175                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 176                     principal:
 177                       str_replace:
 178                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 179                         params:
 180                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 181                   libvirt-client-cert:
 182                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
 183                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
 184                     hostname:
 185                       str_replace:
 186                         template: "%{hiera('fqdn_NETWORK')}"
 187                         params:
 188                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 189                     principal:
 190                       str_replace:
 191                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 192                         params:
 193                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 194               - {}
 195       step_config: |
 196         include tripleo::profile::base::nova::libvirt
 197       metadata_settings:
 198         if:
 199           - use_tls_for_live_migration
 200           -
 201             - service: libvirt
 202               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 203               type: node
 204           - null