puppet/services/nova-libvirt.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Libvirt service configured with Puppet
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33   CephClientUserName:
  34     default: openstack
  35     type: string
  36   CephClientKey:
  37     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring.
  38     type: string
  39     hidden: true
  40   CephClusterFSID:
  41     type: string
  42     description: The Ceph cluster FSID. Must be a UUID.
  43   CinderEnableRbdBackend:
  44     default: false
  45     description: Whether to enable or not the Rbd backend for Cinder
  46     type: boolean
  47   NovaComputeLibvirtType:
  48     type: string
  49     default: kvm
  50   LibvirtEnabledPerfEvents:
  51     type: comma_delimited_list
  52     default: []
  53     description: This is a performance event list which could be used as monitor.
  54                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
  55                  The supported events list can be found in
  56                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
  57                  which you may need to search key words ``VIR_PERF_PARAM_*``
  58   MonitoringSubscriptionNovaLibvirt:
  59     default: 'overcloud-nova-libvirt'
  60     type: string
  61   EnableInternalTLS:
  62     type: boolean
  63     default: false
  64   UseTLSTransportForLiveMigration:
  65     type: boolean
  66     default: true
  67     description: If set to true and if EnableInternalTLS is enabled, it will
  68                  set the libvirt URI's transport to tls and configure the
  69                  relevant keys for libvirt.
  70   InternalTLSCAFile:
  71     default: '/etc/ipa/ca.crt'
  72     type: string
  73     description: Specifies the default CA cert to use if TLS is used for
  74                  services in the internal network.
  75   LibvirtCACert:
  76     type: string
  77     default: ''
  78     description: This specifies the CA certificate to use for TLS in libvirt.
  79                  This file will be symlinked to the default CA path in libvirt,
  80                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
  81                  GNU TLS, which is the TLS backend for libvirt, the file must
  82                  be less than 65K (so we can't use the system's CA bundle).
  83                  This parameter should be used if the default (which comes from
  84                  the InternalTLSCAFile parameter) is not desired. The current
  85                  default reflects TripleO's default CA, which is FreeIPA.
  86                  It will only be used if internal TLS is enabled.
  87   MigrationSshKey:
  88     type: json
  89     description: >
  90       SSH key for migration.
  91       Expects a dictionary with keys 'public_key' and 'private_key'.
  92       Values should be identical to SSH public/private key files.
  93     default:
  94       public_key: ''
  95       private_key: ''
  96   MigrationSshPort:
  97     default: 22
  98     description: Target port for migration over ssh
  99     type: number
 100
 101 conditions:
 102
 103   use_tls_for_live_migration:
 104     and:
 105     - equals:
 106       - {get_param: EnableInternalTLS}
 107       - true
 108     - equals:
 109       - {get_param: UseTLSTransportForLiveMigration}
 110       - true
 111
 112   libvirt_specific_ca_unset:
 113     equals:
 114       - {get_param: LibvirtCACert}
 115       - ''
 116
 117 resources:
 118   NovaBase:
 119     type: ./nova-base.yaml
 120     properties:
 121       ServiceData: {get_param: ServiceData}
 122       ServiceNetMap: {get_param: ServiceNetMap}
 123       DefaultPasswords: {get_param: DefaultPasswords}
 124       EndpointMap: {get_param: EndpointMap}
 125       RoleName: {get_param: RoleName}
 126       RoleParameters: {get_param: RoleParameters}
 127
 128 outputs:
 129   role_data:
 130     description: Role data for the Libvirt service.
 131     value:
 132       service_name: nova_libvirt
 133       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
 134       config_settings:
 135         map_merge:
 136           - get_attr: [NovaBase, role_data, config_settings]
 137           # we include ::nova::compute::libvirt::services in nova/libvirt profile
 138           - nova::compute::libvirt::manage_libvirt_services: false
 139           # we manage migration in nova common puppet profile
 140             nova::compute::libvirt::migration_support: false
 141             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
 142             nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
 143             nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
 144             tripleo::profile::base::nova::migration::client::libvirt_enabled: true
 145             tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
 146             tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
 147             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 148             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
 149             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
 150             nova::compute::libvirt::qemu::configure_qemu: true
 151             nova::compute::libvirt::qemu::max_files: 32768
 152             nova::compute::libvirt::qemu::max_processes: 131072
 153             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 154             rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
 155             tripleo.nova_libvirt.firewall_rules:
 156               '200 nova_libvirt':
 157                 dport:
 158                   - 16514
 159                   - '49152-49215'
 160                   - '5900-5999'
 161
 162           -
 163             if:
 164               - use_tls_for_live_migration
 165               -
 166                 generate_service_certificates: true
 167                 tripleo::profile::base::nova::migration::client::libvirt_tls: true
 168                 nova::migration::libvirt::live_migration_inbound_addr:
 169                   str_replace:
 170                     template:
 171                       "%{hiera('fqdn_$NETWORK')}"
 172                     params:
 173                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 174                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
 175                   if:
 176                     - libvirt_specific_ca_unset
 177                     - get_param: InternalTLSCAFile
 178                     - get_param: LibvirtCACert
 179                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
 180                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
 181                 libvirt_certificates_specs:
 182                   libvirt-server-cert:
 183                     service_certificate: '/etc/pki/libvirt/servercert.pem'
 184                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
 185                     hostname:
 186                       str_replace:
 187                         template: "%{hiera('fqdn_NETWORK')}"
 188                         params:
 189                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 190                     principal:
 191                       str_replace:
 192                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 193                         params:
 194                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 195                   libvirt-client-cert:
 196                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
 197                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
 198                     hostname:
 199                       str_replace:
 200                         template: "%{hiera('fqdn_NETWORK')}"
 201                         params:
 202                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 203                     principal:
 204                       str_replace:
 205                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 206                         params:
 207                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 208               - {}
 209       step_config: |
 210         include tripleo::profile::base::nova::libvirt
 211       metadata_settings:
 212         if:
 213           - use_tls_for_live_migration
 214           -
 215             - service: libvirt
 216               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 217               type: node
 218           - null