puppet/services/nova-libvirt.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   Libvirt service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   EndpointMap:
  17     default: {}
  18     description: Mapping of service endpoint -> protocol. Typically set
  19                  via parameter_defaults in the resource registry.
  20     type: json
  21   NovaComputeLibvirtType:
  22     type: string
  23     default: kvm
  24   LibvirtEnabledPerfEvents:
  25     type: comma_delimited_list
  26     default: []
  27     description: This is a performance event list which could be used as monitor.
  28                  For example - ``enabled_perf_events = cmt, mbml, mbmt``
  29                  The supported events list can be found in
  30                  https://libvirt.org/html/libvirt-libvirt-domain.html ,
  31                  which you may need to search key words ``VIR_PERF_PARAM_*``
  32   MonitoringSubscriptionNovaLibvirt:
  33     default: 'overcloud-nova-libvirt'
  34     type: string
  35   EnableInternalTLS:
  36     type: boolean
  37     default: false
  38   UseTLSTransportForLiveMigration:
  39     type: boolean
  40     default: true
  41     description: If set to true and if EnableInternalTLS is enabled, it will
  42                  set the libvirt URI's transport to tls and configure the
  43                  relevant keys for libvirt.
  44   LibvirtCACert:
  45     type: string
  46     default: '/etc/ipa/ca.crt'
  47     description: This specifies the CA certificate to use for TLS in libvirt.
  48                  This file will be symlinked to the default CA path in libvirt,
  49                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
  50                  GNU TLS, which is the TLS backend for libvirt, the file must
  51                  be less than 65K (so we can't use the system's CA bundle). The
  52                  current default reflects TripleO's default CA, which is
  53                  FreeIPA. It will only be used if internal TLS is enabled.
  54
  55 conditions:
  56
  57   use_tls_for_live_migration:
  58     and:
  59     - equals:
  60       - {get_param: EnableInternalTLS}
  61       - true
  62     - equals:
  63       - {get_param: UseTLSTransportForLiveMigration}
  64       - true
  65
  66 resources:
  67   NovaBase:
  68     type: ./nova-base.yaml
  69     properties:
  70       ServiceNetMap: {get_param: ServiceNetMap}
  71       DefaultPasswords: {get_param: DefaultPasswords}
  72       EndpointMap: {get_param: EndpointMap}
  73
  74 outputs:
  75   role_data:
  76     description: Role data for the Libvirt service.
  77     value:
  78       service_name: nova_libvirt
  79       monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
  80       config_settings:
  81         map_merge:
  82           - get_attr: [NovaBase, role_data, config_settings]
  83           # we include ::nova::compute::libvirt::services in nova/libvirt profile
  84           - nova::compute::libvirt::manage_libvirt_services: false
  85           # we manage migration in nova common puppet profile
  86             nova::compute::libvirt::migration_support: false
  87             tripleo::profile::base::nova::manage_migration: true
  88             tripleo::profile::base::nova::libvirt_enabled: true
  89             nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
  90             nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
  91             nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
  92             nova::compute::libvirt::qemu::configure_qemu: true
  93             nova::compute::libvirt::qemu::max_files: 32768
  94             nova::compute::libvirt::qemu::max_processes: 131072
  95             nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
  96             tripleo.nova_libvirt.firewall_rules:
  97               '200 nova_libvirt':
  98                 dport:
  99                   - 16514
 100                   - '49152-49215'
 101                   - '5900-5999'
 102
 103           -
 104             if:
 105               - use_tls_for_live_migration
 106               -
 107                 generate_service_certificates: true
 108                 tripleo::profile::base::nova::libvirt_tls: true
 109                 nova::migration::libvirt::live_migration_inbound_addr:
 110                   str_replace:
 111                     template:
 112                       "%{hiera('fqdn_$NETWORK')}"
 113                     params:
 114                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 115                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
 116                   get_param: LibvirtCACert
 117                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
 118                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
 119                 libvirt_certificates_specs:
 120                   libvirt-server-cert:
 121                     service_certificate: '/etc/pki/libvirt/servercert.pem'
 122                     service_key: '/etc/pki/libvirt/private/serverkey.pem'
 123                     hostname:
 124                       str_replace:
 125                         template: "%{hiera('fqdn_NETWORK')}"
 126                         params:
 127                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 128                     principal:
 129                       str_replace:
 130                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 131                         params:
 132                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 133                   libvirt-client-cert:
 134                     service_certificate: '/etc/pki/libvirt/clientcert.pem'
 135                     service_key: '/etc/pki/libvirt/private/clientkey.pem'
 136                     hostname:
 137                       str_replace:
 138                         template: "%{hiera('fqdn_NETWORK')}"
 139                         params:
 140                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 141                     principal:
 142                       str_replace:
 143                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
 144                         params:
 145                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 146               - {}
 147       step_config: |
 148         include tripleo::profile::base::nova::libvirt
 149       metadata_settings:
 150         if:
 151           - use_tls_for_live_migration
 152           -
 153             - service: libvirt
 154               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
 155               type: node
 156           - null