openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/nova.pp
Emilien Macchi 067e1a32a9 Stop deploying Nova API in WSGI with Apache 
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.

Note: we also need to fix orchestration in provision to make sure
Keystone is ready before creating nova flavors, and other resources.

Depends-On: I1688eae1369f6da2c7084dc3864d19708d15c78d
Change-Id: I4a0d999d5290785a416bbb11953fee7a5028a00b
Related-Bug: 1661360
2017-02-06 07:47:36 -05:00

193 lines
7.3 KiB
Puppet
Raw Blame History

# Configure the Nova service
#
# [*libvirt_rbd*]
# (optional) Boolean to configure or not Nova
# to use Libvirt RBD backend.
# Defaults to false.
#
# [*libvirt_virt_type*]
# (optional) Libvirt domain type. Options are: kvm, lxc, qemu, uml, xen
# Defaults to 'qemu'
#
# [*libvirt_cpu_mode*]
# (optional) The libvirt CPU mode to configure.
# Possible values include custom, host-model, none, host-passthrough.
# Defaults to 'none'
#
# [*volume_encryption*]
# (optional) Boolean to configure or not volume encryption
# Defaults to false.
#
class openstack_integration::nova (
$libvirt_rbd = false,
$libvirt_virt_type = 'qemu',
$libvirt_cpu_mode = 'none',
$volume_encryption = false,
) {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'nova':
notify => [
Service['nova-api'],
Service['httpd'],
],
require => Package['nova-common'],
}
Exec['update-ca-certificates'] ~> Service['nova-api']
Exec['update-ca-certificates'] ~> Service['httpd']
}
$transport_url = os_transport_url({
'transport' => 'rabbit',
'host' => $::openstack_integration::config::host,
'port' => $::openstack_integration::config::rabbit_port,
'username' => 'nova',
'password' => 'an_even_bigger_secret',
})
rabbitmq_user { 'nova':
admin => true,
password => 'an_even_bigger_secret',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
rabbitmq_user_permissions { 'nova@/':
configure_permission => '.*',
write_permission => '.*',
read_permission => '.*',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
Rabbitmq_user_permissions['nova@/'] -> Service<| tag == 'nova-service' |>
class { '::nova::db::mysql':
password => 'nova',
}
class { '::nova::db::mysql_api':
password => 'nova',
}
# TODO(aschultz): when Ubuntu supports cells (ocata-m3) enable this
if $::osfamily == 'RedHat' {
include ::nova::cell_v2::simple_setup
}
class { '::nova::db::mysql_placement':
password => 'nova',
}
class { '::nova::keystone::auth':
public_url => "${::openstack_integration::config::base_url}:8774/v2.1",
internal_url => "${::openstack_integration::config::base_url}:8774/v2.1",
admin_url => "${::openstack_integration::config::base_url}:8774/v2.1",
password => 'a_big_secret',
}
class { '::nova::keystone::auth_placement':
public_url => "${::openstack_integration::config::base_url}:8778/placement",
internal_url => "${::openstack_integration::config::base_url}:8778/placement",
admin_url => "${::openstack_integration::config::base_url}:8778/placement",
password => 'a_big_secret',
}
class { '::nova::keystone::authtoken':
password => 'a_big_secret',
user_domain_name => 'Default',
project_domain_name => 'Default',
auth_url => $::openstack_integration::config::keystone_admin_uri,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
memcached_servers => $::openstack_integration::config::memcached_servers,
}
class { '::nova':
default_transport_url => $transport_url,
database_connection => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8',
api_database_connection => 'mysql+pymysql://nova_api:nova@127.0.0.1/nova_api?charset=utf8',
placement_database_connection => 'mysql+pymysql://nova_placement:nova@127.0.0.1/nova_placement?charset=utf8',
rabbit_use_ssl => $::openstack_integration::config::ssl,
use_ipv6 => $::openstack_integration::config::ipv6,
glance_api_servers => "${::openstack_integration::config::base_url}:9292",
debug => true,
notification_driver => 'messagingv2',
notify_on_state_change => 'vm_and_task_state',
use_ssl => $::openstack_integration::config::ssl,
key_file => "/etc/nova/ssl/private/${::fqdn}.pem",
cert_file => $::openstack_integration::params::cert_path,
}
class { '::nova::api':
api_bind_address => $::openstack_integration::config::host,
neutron_metadata_proxy_shared_secret => 'a_big_secret',
metadata_workers => 2,
osapi_compute_workers => 2,
default_floating_pool => 'public',
sync_db_api => true,
}
if $::osfamily == 'RedHat' {
class { '::nova::wsgi::apache_placement':
bind_host => $::openstack_integration::config::ip_for_url,
api_port => '8778',
ssl_key => "/etc/nova/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
ssl => $::openstack_integration::config::ssl,
workers => '2',
}
class { '::nova::placement':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
}
class { '::nova::client': }
class { '::nova::conductor': }
class { '::nova::consoleauth': }
class { '::nova::cron::archive_deleted_rows': }
if $volume_encryption {
$keymgr_api_class = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
$keymgr_auth_endpoint = "${::openstack_integration::config::keystone_auth_uri}/v3"
$barbican_endpoint = "${::openstack_integration::config::base_url}:9311"
} else {
$keymgr_api_class = undef
$keymgr_auth_endpoint = undef
$barbican_endpoint = undef
}
class { '::nova::compute':
vnc_enabled => true,
instance_usage_audit => true,
instance_usage_audit_period => 'hour',
keymgr_api_class => $keymgr_api_class,
barbican_auth_endpoint => $keymgr_auth_endpoint,
barbican_endpoint => $barbican_endpoint,
}
class { '::nova::compute::libvirt':
libvirt_virt_type => $libvirt_virt_type,
libvirt_cpu_mode => $libvirt_cpu_mode,
migration_support => true,
vncserver_listen => '0.0.0.0',
# virtlock and virtlog services resources are not idempotent
# on Ubuntu, let's disable it for now.
# https://tickets.puppetlabs.com/browse/PUP-6370
virtlock_service_name => false,
virtlog_service_name => false,
}
if $libvirt_rbd {
class { '::nova::compute::rbd':
libvirt_rbd_user => 'openstack',
libvirt_rbd_secret_uuid => '7200aea0-2ddd-4a32-aa2a-d49f66ab554c',
libvirt_rbd_secret_key => 'AQD7kyJQQGoOBhAAqrPAqSopSwPrrfMMomzVdw==',
libvirt_images_rbd_pool => 'nova',
rbd_keyring => 'client.openstack',
# ceph packaging is already managed by puppet-ceph
manage_ceph_client => false,
}
# make sure ceph pool exists before running nova-compute
Exec['create-nova'] -> Service['nova-compute']
}
class { '::nova::scheduler': }
class { '::nova::scheduler::filter': }
class { '::nova::vncproxy': }
class { '::nova::network::neutron':
neutron_auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3",
neutron_url => "${::openstack_integration::config::base_url}:9696",
neutron_password => 'a_big_secret',
}
}
View Git Blame Copy Permalink