Merge "Fix cidr get_attr in custom networks"

diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f..3fb3834 100644 (file)
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -32,6 +32,9 @@ parameters:
     type: string
     hidden: true
     default: ''
+  MysqlClustercheckPassword:
+    type: string
+    hidden: true
   RoleName:
     default: ''
     description: Role name on which the service is applied
@@ -118,7 +121,19 @@ outputs:
             image: *mysql_image
             net: host
             # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
-            command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
+            command:
+              - 'bash'
+              - '-ec'
+              -
+                list_join:
+                  - "\n"
+                  - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
+                    - 'kolla_start'
+                    - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+                    - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
+                    - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"'
+                    - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"'
+                    - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
             volumes: &mysql_volumes
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
@@ -131,6 +146,12 @@ outputs:
               - KOLLA_BOOTSTRAP=True
               # NOTE(mandre) skip wsrep cluster status check
               - KOLLA_KUBERNETES=True
+              - DB_MAX_TIMEOUT=60
+              -
+                list_join:
+                  - '='
+                  - - 'DB_CLUSTERCHECK_PASSWORD'
+                    - {get_param: MysqlClustercheckPassword}
               -
                 list_join:
                   - '='

diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 57cf2c5..d474332 100644 (file)
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -14,6 +14,10 @@ resource_registry:
   OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
   OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::CeilometerAgentCentral: ../docker/services/ceilometer-agent-central.yaml
+  OS::TripleO::Services::CeilometerAgentIpmi: ../docker/services/ceilometer-agent-ipmi.yaml
+  OS::TripleO::Services::CeilometerAgentNotification: ../docker/services/ceilometer-agent-notification.yaml
+  OS::TripleO::Services::ComputeCeilometerAgent: ../docker/services/ceilometer-agent-compute.yaml
   OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
   OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
@@ -24,15 +28,16 @@ resource_registry:
   OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
   OS::TripleO::Services::Iscsid: ../docker/services/iscsid.yaml
   OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
-  OS::TripleO::Services::NovaMigrationTarget: ../docker/services/nova-migration-target.yaml
-  OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
+  OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
   OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
   OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
-  OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
-  OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
   OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+  OS::TripleO::Services::NeutronMetadataAgent: ../docker/services/neutron-metadata.yaml
+  OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+  OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
   OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
+  OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
   OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml

diff --git a/environments/neutron-nuage-config.yaml b/environments/neutron-nuage-config.yaml
index 601554a..ce64311 100644 (file)
--- a/environments/neutron-nuage-config.yaml
+++ b/environments/neutron-nuage-config.yaml
@@ -1,13 +1,13 @@
 # A Heat environment file which can be used to enable a
 # a Neutron Nuage backend on the controller, configured via puppet
 resource_registry:
+  OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None
   OS::TripleO::Services::NeutronL3Agent: OS::Heat::None
   OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None
   OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None
   OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None
   # Override the NeutronCorePlugin to use Nuage
-  OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginNuage
-  OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
+  OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2Nuage
 
 parameter_defaults:
   NeutronNuageNetPartitionName: 'default_name'
@@ -18,9 +18,18 @@ parameter_defaults:
   NeutronNuageBaseURIVersion: 'default_uri_version'
   NeutronNuageCMSId: ''
   UseForwardedFor: true
-  NeutronCorePlugin: 'nuage_neutron.plugins.nuage.plugin.NuagePlugin'
-  NeutronEnableDHCPAgent: false
-  NeutronServicePlugins: []
-  NovaOVSBridge: 'alubr0'
-  controllerExtraConfig:
+  NeutronServicePlugins: ''
+  NeutronDBSyncExtraParams: '--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini'
+  NeutronTypeDrivers: ''
+  NeutronNetworkType: ''
+  NeutronMechanismDrivers: ''
+  NeutronPluginExtensions: ''
+  NeutronFlatNetworks: ''
+  NeutronTunnelIdRanges: ''
+  NeutronNetworkVLANRanges: ''
+  NeutronVniRanges: ''
+  NovaOVSBridge: 'default_bridge'
+  NeutronMetadataProxySharedSecret: 'default'
+  InstanceNameTemplate: 'inst-%08x'
+  ControllerExtraConfig:
     neutron::api_extensions_path: '/usr/lib/python2.7/site-packages/neutron/plugins/nuage/'

diff --git a/environments/nova-nuage-config.yaml b/environments/nova-nuage-config.yaml
index 56c64d1..5e75ed9 100644 (file)
--- a/environments/nova-nuage-config.yaml
+++ b/environments/nova-nuage-config.yaml
@@ -2,7 +2,13 @@
 # Nuage backend on the compute, configured via puppet
 resource_registry:
   OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml
+  OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-nuage.yaml
 
 parameter_defaults:
   NuageActiveController: '0.0.0.0'
   NuageStandbyController: '0.0.0.0'
+  NovaOVSBridge: 'default_bridge'
+  NovaComputeLibvirtType: 'default_type'
+  NovaIPv6: False
+  NuageMetadataProxySharedSecret: 'default'
+  NuageNovaApiEndpoint: 'default_endpoint'

diff --git a/firstboot/userdata_example.yaml b/firstboot/userdata_example.yaml
index 2f03c83..32da7ed 100644 (file)
--- a/firstboot/userdata_example.yaml
+++ b/firstboot/userdata_example.yaml
@@ -42,10 +42,9 @@ resources:
         str_replace:
           template: |
             #!/bin/bash
-            curl http://169.254.169.254/openstack/2012-08-10/meta_data.json -o /root/meta_data.json
             mkdir -p /home/$user/.ssh
             chmod 700 /home/$user/.ssh
-            cat /root/meta_data.json | jq -r ".keys[0].data" > /home/$user/.ssh/authorized_keys
+            os-apply-config --key public-keys.0.openssh-key --type raw > /home/$user/.ssh/authorized_keys
             chmod 600 /home/$user/.ssh/authorized_keys
             chown -R $user:$user /home/$user/.ssh
           params:

diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 0d3b875..0b4b4fe 100644 (file)
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -154,6 +154,7 @@ resource_registry:
   OS::TripleO::Services::NeutronCorePluginML2OVN: puppet/services/neutron-plugin-ml2-ovn.yaml
   OS::TripleO::Services::NeutronCorePluginPlumgrid: puppet/services/neutron-plugin-plumgrid.yaml
   OS::TripleO::Services::NeutronCorePluginNuage: puppet/services/neutron-plugin-nuage.yaml
+  OS::TripleO::Services::NeutronCorePluginML2Nuage: puppet/services/neutron-plugin-ml2-nuage.yaml
   OS::TripleO::Services::NeutronCorePluginNSX: puppet/services/neutron-plugin-nsx.yaml
   OS::TripleO::Services::OVNDBs: OS::Heat::None
   OS::TripleO::Services::OVNController: OS::Heat::None

diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
index 3355a0d..642685a 100644 (file)
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxyInternalTLSCertsDirectory:
+    default: '/etc/pki/tls/certs/haproxy'
+    type: string
+  HAProxyInternalTLSKeysDirectory:
+    default: '/etc/pki/tls/private/haproxy'
+    type: string
 
 resources:
 
@@ -55,16 +61,30 @@ outputs:
       config_settings:
         generate_service_certificates: true
         tripleo::haproxy::use_internal_certificates: true
-        tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
-        tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+        tripleo::certmonger::haproxy_dirs::certificate_dir:
+          get_param: HAProxyInternalTLSCertsDirectory
+        tripleo::certmonger::haproxy_dirs::key_dir:
+          get_param: HAProxyInternalTLSKeysDirectory
       certificates_specs:
         map_merge:
           repeat:
             template:
               haproxy-NETWORK:
-                service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.pem'
-                service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.crt'
-                service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-NETWORK.key'
+                service_pem:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSCertsDirectory}
+                    - '/overcloud-haproxy-NETWORK.pem'
+                service_certificate:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSCertsDirectory}
+                    - '/overcloud-haproxy-NETWORK.crt'
+                service_key:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSKeysDirectory}
+                    - '/overcloud-haproxy-NETWORK.key'
                 hostname: "%{hiera('cloud_name_NETWORK')}"
                 postsave_cmd: "" # TODO
                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"

diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
index f1739f7..b2766c4 100644 (file)
--- a/puppet/services/haproxy-public-tls-certmonger.yaml
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxyInternalTLSCertsDirectory:
+    default: '/etc/pki/tls/certs/haproxy'
+    type: string
+  HAProxyInternalTLSKeysDirectory:
+    default: '/etc/pki/tls/private/haproxy'
+    type: string
 
 outputs:
   role_data:
@@ -38,14 +44,32 @@ outputs:
       service_name: haproxy_public_tls_certmonger
       config_settings:
         generate_service_certificates: true
-        tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
-        tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
-        tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+        tripleo::haproxy::service_certificate:
+          list_join:
+          - ''
+          - - {get_param: HAProxyInternalTLSCertsDirectory}
+            - '/overcloud-haproxy-external.pem'
+        tripleo::certmonger::haproxy_dirs::certificate_dir:
+          get_param: HAProxyInternalTLSCertsDirectory
+        tripleo::certmonger::haproxy_dirs::key_dir:
+          get_param: HAProxyInternalTLSKeysDirectory
       certificates_specs:
         haproxy-external:
-          service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
-          service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
-          service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
+          service_pem:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSCertsDirectory}
+              - '/overcloud-haproxy-external.pem'
+          service_certificate:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSCertsDirectory}
+              - '/overcloud-haproxy-external.crt'
+          service_key:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSKeysDirectory}
+              - '/overcloud-haproxy-external.key'
           hostname: "%{hiera('cloud_name_external')}"
           postsave_cmd: "" # TODO
           principal: "haproxy/%{hiera('cloud_name_external')}"

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 8796209..218ba74 100644 (file)
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -178,10 +178,10 @@ parameters:
         Cron to purge expired tokens - Week Day
     default: '*'
   KeystoneCronTokenFlushMaxDelay:
-    type: string
+    type: number
     description: >
         Cron to purge expired tokens - Max Delay
-    default: '0'
+    default: 0
   KeystoneCronTokenFlushDestination:
     type: string
     description: >

diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml
index b955689..b698004 100644 (file)
--- a/puppet/services/neutron-base.yaml
+++ b/puppet/services/neutron-base.yaml
@@ -69,6 +69,12 @@ parameters:
         networks, neutron uses this value without modification. For overlay
         networks such as VXLAN, neutron automatically subtracts the overlay
         protocol overhead from this value.
+  NeutronDBSyncExtraParams:
+    default: ''
+    description: |
+        String of extra command line parameters to append to the neutron-db-manage
+        upgrade head command.
+    type: string
   ServiceData:
     default: {}
     description: Dictionary packing service data
@@ -134,6 +140,7 @@ outputs:
             neutron::db::database_max_retries: -1
             neutron::db::sync::db_sync_timeout: {get_param: DatabaseSyncTimeout}
             neutron::global_physnet_mtu: {get_param: NeutronGlobalPhysnetMtu}
+            neutron::db::sync::extra_params: {get_param: NeutronDBSyncExtraParams}
           - if:
             - dhcp_agents_zero
             - {}

diff --git a/puppet/services/neutron-plugin-ml2-nuage.yaml b/puppet/services/neutron-plugin-ml2-nuage.yaml
new file mode 100644 (file)
index 0000000..a7dc2e8
--- /dev/null
+++ b/puppet/services/neutron-plugin-ml2-nuage.yaml
@@ -0,0 +1,99 @@
+heat_template_version: pike
+
+description: >
+  OpenStack Neutron ML2/Nuage plugin configured with Puppet
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  # Config specific parameters, to be provided via parameter_defaults
+  NeutronNuageNetPartitionName:
+    description: Specifies the title that you will see on the VSD
+    type: string
+    default: 'default_name'
+
+  NeutronNuageVSDIp:
+    description: IP address and port of the Virtual Services Directory
+    type: string
+
+  NeutronNuageVSDUsername:
+    description: Username to be used to log into VSD
+    type: string
+
+  NeutronNuageVSDPassword:
+    description: Password to be used to log into VSD
+    type: string
+
+  NeutronNuageVSDOrganization:
+    description: Organization parameter required to log into VSD
+    type: string
+    default: 'organization'
+
+  NeutronNuageBaseURIVersion:
+    description: URI version to be used based on the VSD release
+    type: string
+    default: 'default_uri_version'
+
+  NeutronNuageCMSId:
+    description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD
+    type: string
+
+  UseForwardedFor:
+    description: Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.
+    type: boolean
+    default: false
+
+resources:
+
+  NeutronML2Base:
+    type: ./neutron-plugin-ml2.yaml
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+outputs:
+  role_data:
+    description: Role data for the Neutron ML2/Nuage plugin
+    value:
+      service_name: neutron_plugin_ml2_nuage
+      config_settings:
+        map_merge:
+          - get_attr: [NeutronML2Base, role_data, config_settings]
+          - neutron::plugins::ml2::nuage::nuage_net_partition_name: {get_param: NeutronNuageNetPartitionName}
+            neutron::plugins::ml2::nuage::nuage_vsd_ip: {get_param: NeutronNuageVSDIp}
+            neutron::plugins::ml2::nuage::nuage_vsd_username: {get_param: NeutronNuageVSDUsername}
+            neutron::plugins::ml2::nuage::nuage_vsd_password: {get_param: NeutronNuageVSDPassword}
+            neutron::plugins::ml2::nuage::nuage_vsd_organization: {get_param: NeutronNuageVSDOrganization}
+            neutron::plugins::ml2::nuage::nuage_base_uri_version: {get_param: NeutronNuageBaseURIVersion}
+            neutron::plugins::ml2::nuage::nuage_cms_id: {get_param: NeutronNuageCMSId}
+            nova::api::use_forwarded_for: {get_param: UseForwardedFor}
+      step_config: |
+        include tripleo::profile::base::neutron::plugins::ml2

diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml
index dd757b5..bc91374 100644 (file)
--- a/puppet/services/neutron-plugin-ml2.yaml
+++ b/puppet/services/neutron-plugin-ml2.yaml
@@ -72,6 +72,10 @@ parameters:
     default: 'vxlan'
     description: The tenant network type for Neutron.
     type: comma_delimited_list
+  NeutronFirewallDriver:
+    description: Firewall driver for realizing neutron security group function
+    type: string
+    default: 'openvswitch'
 resources:
 
   NeutronBase:
@@ -100,6 +104,7 @@ outputs:
             neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges}
             neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
             neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
+            neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver}
 
       step_config: |
         include ::tripleo::profile::base::neutron::plugins::ml2