heat_template_version: pike description: > OpenStack Glance API service configured with Puppet parameters: ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json Debug: default: '' description: Set to True to enable debugging on all services. type: string GlanceDebug: default: '' description: Set to True to enable debugging Glance service. type: string GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true GlanceWorkers: default: '' description: | Number of API worker processes for Glance. If left unset (empty string), the default value will result in the configuration being left unset and a system-dependent default value will be chosen (e.g.: number of processors). Please note that this will create a large number of processes on systems with a large number of CPUs resulting in excess memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string GlanceApiLoggingSource: type: json default: tag: openstack.glance.api path: /var/log/glance/api.log EnableInternalTLS: type: boolean default: false CephClientUserName: default: openstack type: string GlanceNotifierStrategy: description: Strategy to use for Glance notification queue type: string default: noop GlanceLogFile: description: The filepath of the file to use for logging messages from Glance. type: string default: '' GlanceBackend: default: swift description: The short name of the Glance backend to use. Should be one of swift, rbd, or file type: string constraints: - allowed_values: ['swift', 'file', 'rbd'] GlanceNfsEnabled: default: false description: > When using GlanceBackend 'file', mount NFS share for image storage. type: boolean GlanceNfsShare: default: '' description: > NFS share to mount for image storage (when GlanceNfsEnabled is true) type: string GlanceNfsOptions: default: 'intr,context=system_u:object_r:glance_var_lib_t:s0' description: > NFS mount options for image storage (when GlanceNfsEnabled is true) type: string GlanceRbdPoolName: default: images type: string NovaEnableRbdBackend: default: false description: Whether to enable or not the Rbd backend for Nova type: boolean RabbitPassword: description: The password for RabbitMQ type: string hidden: true RabbitUserName: default: guest description: The username for RabbitMQ type: string RabbitClientPort: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number RabbitClientUseSSL: default: false description: > Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint GlanceApiPolicies: description: | A hash of policies to configure for Glance API. e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json NotificationDriver: type: string default: 'messagingv2' description: Driver or drivers to handle sending notifications. constraints: - allowed_values: [ 'messagingv2', 'noop' ] conditions: use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']} service_debug_unset: {equals : [{get_param: GlanceDebug}, '']} glance_multiple_locations: and: - equals: - get_param: GlanceBackend - rbd - equals: - get_param: NovaEnableRbdBackend - true resources: TLSProxyBase: type: OS::TripleO::Services::TLSProxyBase properties: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: description: Role data for the Glance API role. value: service_name: glance_api monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} logging_source: {get_param: GlanceApiLoggingSource} logging_groups: - glance config_settings: map_merge: - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: make_url: scheme: {get_param: [EndpointMap, MysqlInternal, protocol]} username: glance password: {get_param: GlancePassword} host: {get_param: [EndpointMap, MysqlInternal, host]} path: /glance query: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} glance::api::enable_proxy_headers_parsing: true glance::api::debug: if: - service_debug_unset - {get_param: Debug } - {get_param: GlanceDebug } glance::policy::policies: {get_param: GlanceApiPolicies} tripleo.glance_api.firewall_rules: '112 glance_api': dport: - 9292 - 13292 glance::api::authtoken::project_name: 'service' glance::keystone::authtoken::user_domain_name: 'Default' glance::keystone::authtoken::project_domain_name: 'Default' glance::api::pipeline: 'keystone' glance::api::show_image_direct_url: true glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} glance::api::os_region_name: {get_param: KeystoneRegion} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR tripleo::profile::base::glance::api::tls_proxy_bind_ip: get_param: [ServiceNetMap, GlanceApiNetwork] tripleo::profile::base::glance::api::tls_proxy_fqdn: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} tripleo::profile::base::glance::api::tls_proxy_port: get_param: [EndpointMap, GlanceInternal, port] # Bind to localhost if internal TLS is enabled, since we put a TLs # proxy in front. glance::api::bind_host: if: - use_tls_proxy - 'localhost' - {get_param: [ServiceNetMap, GlanceApiNetwork]} glance_notifier_strategy: {get_param: GlanceNotifierStrategy} glance_log_file: {get_param: GlanceLogFile} glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] } glance::backend::swift::swift_store_user: service:glance glance::backend::swift::swift_store_key: {get_param: GlancePassword} glance::backend::swift::swift_store_create_container_on_put: true glance::backend::swift::swift_store_auth_version: 3 glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} glance_backend: {get_param: GlanceBackend} glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver} tripleo::profile::base::glance::api::glance_nfs_enabled: {get_param: GlanceNfsEnabled} tripleo::glance::nfs_mount::share: {get_param: GlanceNfsShare} tripleo::glance::nfs_mount::options: {get_param: GlanceNfsOptions} - if: - glance_workers_unset - {} - glance::api::workers: {get_param: GlanceWorkers} service_config_settings: keystone: glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} glance::keystone::auth::password: {get_param: GlancePassword } glance::keystone::auth::region: {get_param: KeystoneRegion} glance::keystone::auth::tenant: 'service' mysql: glance::db::mysql::password: {get_param: GlancePassword} glance::db::mysql::user: glance glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} glance::db::mysql::dbname: glance glance::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" step_config: | include ::tripleo::profile::base::glance::api upgrade_tasks: - name: Check if glance_api is deployed command: systemctl is-enabled openstack-glance-api tags: common ignore_errors: True register: glance_api_enabled #(TODO) Remove all glance-registry bits in Pike. - name: Check if glance_registry is deployed command: systemctl is-enabled openstack-glance-registry tags: common ignore_errors: True register: glance_registry_enabled - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running" shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b' tags: step0,validation when: glance_api_enabled.rc == 0 - name: Stop glance_api service tags: step1 when: glance_api_enabled.rc == 0 service: name=openstack-glance-api state=stopped - name: Stop and disable glance registry (removed for Ocata) tags: step1 when: glance_registry_enabled.rc == 0 service: name=openstack-glance-registry state=stopped enabled=no