1 heat_template_version: pike
4 Libvirt service configured with Puppet
9 description: Dictionary packing service data
13 description: Mapping of service_name -> network name. Typically set
14 via parameter_defaults in the resource registry. This
15 mapping overrides those in ServiceNetMapDefaults.
22 description: Role name on which the service is applied
26 description: Parameters specific to the role
30 description: Mapping of service endpoint -> protocol. Typically set
31 via parameter_defaults in the resource registry.
37 description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
42 description: The Ceph cluster FSID. Must be a UUID.
43 CinderEnableRbdBackend:
45 description: Whether to enable or not the Rbd backend for Cinder
47 NovaComputeLibvirtType:
50 LibvirtEnabledPerfEvents:
51 type: comma_delimited_list
53 description: This is a performance event list which could be used as monitor.
54 For example - ``enabled_perf_events = cmt, mbml, mbmt``
55 The supported events list can be found in
56 https://libvirt.org/html/libvirt-libvirt-domain.html ,
57 which you may need to search key words ``VIR_PERF_PARAM_*``
58 MonitoringSubscriptionNovaLibvirt:
59 default: 'overcloud-nova-libvirt'
64 UseTLSTransportForLiveMigration:
67 description: If set to true and if EnableInternalTLS is enabled, it will
68 set the libvirt URI's transport to tls and configure the
69 relevant keys for libvirt.
71 default: '/etc/ipa/ca.crt'
73 description: Specifies the default CA cert to use if TLS is used for
74 services in the internal network.
78 description: This specifies the CA certificate to use for TLS in libvirt.
79 This file will be symlinked to the default CA path in libvirt,
80 which is /etc/pki/CA/cacert.pem. Note that due to limitations
81 GNU TLS, which is the TLS backend for libvirt, the file must
82 be less than 65K (so we can't use the system's CA bundle).
83 This parameter should be used if the default (which comes from
84 the InternalTLSCAFile parameter) is not desired. The current
85 default reflects TripleO's default CA, which is FreeIPA.
86 It will only be used if internal TLS is enabled.
90 use_tls_for_live_migration:
93 - {get_param: EnableInternalTLS}
96 - {get_param: UseTLSTransportForLiveMigration}
99 libvirt_specific_ca_unset:
101 - {get_param: LibvirtCACert}
106 type: ./nova-base.yaml
108 ServiceData: {get_param: ServiceData}
109 ServiceNetMap: {get_param: ServiceNetMap}
110 DefaultPasswords: {get_param: DefaultPasswords}
111 EndpointMap: {get_param: EndpointMap}
112 RoleName: {get_param: RoleName}
113 RoleParameters: {get_param: RoleParameters}
117 description: Role data for the Libvirt service.
119 service_name: nova_libvirt
120 monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
123 - get_attr: [NovaBase, role_data, config_settings]
124 # we include ::nova::compute::libvirt::services in nova/libvirt profile
125 - nova::compute::libvirt::manage_libvirt_services: false
126 # we manage migration in nova common puppet profile
127 nova::compute::libvirt::migration_support: false
128 tripleo::profile::base::nova::manage_migration: true
129 tripleo::profile::base::nova::libvirt_enabled: true
130 nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
131 nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
132 nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
133 nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
134 nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
135 nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
136 nova::compute::libvirt::qemu::configure_qemu: true
137 nova::compute::libvirt::qemu::max_files: 32768
138 nova::compute::libvirt::qemu::max_processes: 131072
139 nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
140 rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
141 tripleo.nova_libvirt.firewall_rules:
150 - use_tls_for_live_migration
152 generate_service_certificates: true
153 tripleo::profile::base::nova::libvirt_tls: true
154 nova::migration::libvirt::live_migration_inbound_addr:
157 "%{hiera('fqdn_$NETWORK')}"
159 $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
160 tripleo::certmonger::ca::libvirt::origin_ca_pem:
162 - libvirt_specific_ca_unset
163 - get_param: InternalTLSCAFile
164 - get_param: LibvirtCACert
165 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
166 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
167 libvirt_certificates_specs:
169 service_certificate: '/etc/pki/libvirt/servercert.pem'
170 service_key: '/etc/pki/libvirt/private/serverkey.pem'
173 template: "%{hiera('fqdn_NETWORK')}"
175 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
178 template: "libvirt/%{hiera('fqdn_NETWORK')}"
180 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
182 service_certificate: '/etc/pki/libvirt/clientcert.pem'
183 service_key: '/etc/pki/libvirt/private/clientkey.pem'
186 template: "%{hiera('fqdn_NETWORK')}"
188 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
191 template: "libvirt/%{hiera('fqdn_NETWORK')}"
193 NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
196 include tripleo::profile::base::nova::libvirt
199 - use_tls_for_live_migration
202 network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}