Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Merge "Remove duplicate Iscsid service in resource registry"
[apex-tripleo-heat-templates.git] / puppet / services / nova-libvirt.yaml
1 heat_template_version: pike
2
3 description: >
4   Libvirt service configured with Puppet
5
6 parameters:
7   ServiceData:
8     default: {}
9     description: Dictionary packing service data
10     type: json
11   ServiceNetMap:
12     default: {}
13     description: Mapping of service_name -> network name. Typically set
14                  via parameter_defaults in the resource registry.  This
15                  mapping overrides those in ServiceNetMapDefaults.
16     type: json
17   DefaultPasswords:
18     default: {}
19     type: json
20   RoleName:
21     default: ''
22     description: Role name on which the service is applied
23     type: string
24   RoleParameters:
25     default: {}
26     description: Parameters specific to the role
27     type: json
28   EndpointMap:
29     default: {}
30     description: Mapping of service endpoint -> protocol. Typically set
31                  via parameter_defaults in the resource registry.
32     type: json
33   CephClientUserName:
34     default: openstack
35     type: string
36   CephClientKey:
37     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
38     type: string
39     hidden: true
40   CephClusterFSID:
41     type: string
42     description: The Ceph cluster FSID. Must be a UUID.
43   CinderEnableRbdBackend:
44     default: false
45     description: Whether to enable or not the Rbd backend for Cinder
46     type: boolean
47   NovaComputeLibvirtType:
48     type: string
49     default: kvm
50   LibvirtEnabledPerfEvents:
51     type: comma_delimited_list
52     default: []
53     description: This is a performance event list which could be used as monitor.
54                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
55                  The supported events list can be found in
56                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
57                  which you may need to search key words ``VIR_PERF_PARAM_*``
58   MonitoringSubscriptionNovaLibvirt:
59     default: 'overcloud-nova-libvirt'
60     type: string
61   EnableInternalTLS:
62     type: boolean
63     default: false
64   UseTLSTransportForLiveMigration:
65     type: boolean
66     default: true
67     description: If set to true and if EnableInternalTLS is enabled, it will
68                  set the libvirt URI's transport to tls and configure the
69                  relevant keys for libvirt.
70   InternalTLSCAFile:
71     default: '/etc/ipa/ca.crt'
72     type: string
73     description: Specifies the default CA cert to use if TLS is used for
74                  services in the internal network.
75   LibvirtCACert:
76     type: string
77     default: ''
78     description: This specifies the CA certificate to use for TLS in libvirt.
79                  This file will be symlinked to the default CA path in libvirt,
80                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
81                  GNU TLS, which is the TLS backend for libvirt, the file must
82                  be less than 65K (so we can't use the system's CA bundle).
83                  This parameter should be used if the default (which comes from
84                  the InternalTLSCAFile parameter) is not desired. The current
85                  default reflects TripleO's default CA, which is FreeIPA.
86                  It will only be used if internal TLS is enabled.
87   MigrationSshKey:
88     type: json
89     description: >
90       SSH key for migration.
91       Expects a dictionary with keys 'public_key' and 'private_key'.
92       Values should be identical to SSH public/private key files.
93     default:
94       public_key: ''
95       private_key: ''
96   MigrationSshPort:
97     default: 22
98     description: Target port for migration over ssh
99     type: number
100
101 conditions:
102
103   use_tls_for_live_migration:
104     and:
105     - equals:
106       - {get_param: EnableInternalTLS}
107       - true
108     - equals:
109       - {get_param: UseTLSTransportForLiveMigration}
110       - true
111
112   libvirt_specific_ca_unset:
113     equals:
114       - {get_param: LibvirtCACert}
115       - ''
116
117 resources:
118   NovaBase:
119     type: ./nova-base.yaml
120     properties:
121       ServiceData: {get_param: ServiceData}
122       ServiceNetMap: {get_param: ServiceNetMap}
123       DefaultPasswords: {get_param: DefaultPasswords}
124       EndpointMap: {get_param: EndpointMap}
125       RoleName: {get_param: RoleName}
126       RoleParameters: {get_param: RoleParameters}
127
128 outputs:
129   role_data:
130     description: Role data for the Libvirt service.
131     value:
132       service_name: nova_libvirt
133       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
134       config_settings:
135         map_merge:
136           - get_attr: [NovaBase, role_data, config_settings]
137           # we include ::nova::compute::libvirt::services in nova/libvirt profile
138           - nova::compute::libvirt::manage_libvirt_services: false
139           # we manage migration in nova common puppet profile
140             nova::compute::libvirt::migration_support: false
141             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
142             nova::compute::rbd::rbd_keyring:
143               list_join:
144               - '.'
145               - - 'client'
146                 - {get_param: CephClientUserName}
147             nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
148             nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
149             tripleo::profile::base::nova::migration::client::libvirt_enabled: true
150             tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
151             tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
152             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
153             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
154             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
155             nova::compute::libvirt::qemu::configure_qemu: true
156             nova::compute::libvirt::qemu::max_files: 32768
157             nova::compute::libvirt::qemu::max_processes: 131072
158             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
159             rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
160             tripleo.nova_libvirt.firewall_rules:
161               '200 nova_libvirt':
162                 dport:
163                   - 16514
164                   - '49152-49215'
165                   - '5900-5999'
166
167           -
168             if:
169               - use_tls_for_live_migration
170               -
171                 generate_service_certificates: true
172                 tripleo::profile::base::nova::migration::client::libvirt_tls: true
173                 nova::migration::libvirt::live_migration_inbound_addr:
174                   str_replace:
175                     template:
176                       "%{hiera('fqdn_$NETWORK')}"
177                     params:
178                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
179                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
180                   if:
181                     - libvirt_specific_ca_unset
182                     - get_param: InternalTLSCAFile
183                     - get_param: LibvirtCACert
184                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
185                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
186                 libvirt_certificates_specs:
187                   libvirt-server-cert:
188                     service_certificate: '/etc/pki/libvirt/servercert.pem'
189                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
190                     hostname:
191                       str_replace:
192                         template: "%{hiera('fqdn_NETWORK')}"
193                         params:
194                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
195                     principal:
196                       str_replace:
197                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
198                         params:
199                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
200                   libvirt-client-cert:
201                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
202                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
203                     hostname:
204                       str_replace:
205                         template: "%{hiera('fqdn_NETWORK')}"
206                         params:
207                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
208                     principal:
209                       str_replace:
210                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
211                         params:
212                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
213               - {}
214       step_config: |
215         include tripleo::profile::base::nova::libvirt
216       metadata_settings:
217         if:
218           - use_tls_for_live_migration
219           -
220             - service: libvirt
221               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
222               type: node
223           - null