diff --git a/defaults/openstack/config.pan b/defaults/openstack/config.pan index f920850..498f4ed 100644 --- a/defaults/openstack/config.pan +++ b/defaults/openstack/config.pan @@ -118,12 +118,14 @@ variable OS_BARBICAN_DB_HOST ?= OS_DB_HOST; ############################## variable OS_KEYSTONE_CONTROLLER_PROTOCOL ?= 'http'; variable OS_KEYSTONE_CONTROLLER_HOST ?= error('OS_KEYSTONE_CONTROLLER_HOST must be declared'); -variable OS_KEYSTONE_CONTROLLER_PORT ?= '35357'; +variable OS_KEYSTONE_CONTROLLER_TOKEN_PORT ?= '35357'; variable OS_KEYSTONE_PUBLIC_CONTROLLER_HOST ?= OS_KEYSTONE_CONTROLLER_HOST; -variable OS_KEYSTONE_PUBLIC_CONTROLLER_TOKEN_PORT ?= '5000'; +variable OS_KEYSTONE_PUBLIC_CONTROLLER_PORT ?= '5000'; variable OS_KEYSTONE_DB_HOST ?= OS_DB_HOST; variable OS_KEYSTONE_DB_USERNAME ?= 'keystone'; variable OS_KEYSTONE_DB_PASSWORD ?= 'KEYSTONE_DBPASS'; +variable OS_KEYSTONE_ENFORCE_SCOPE ?= null; +variable OS_KEYSTONE_ENFORCE_NEW_DEFAULTS ?= OS_KEYSTONE_ENFORCE_SCOPE; variable OS_KEYSTONE_IDENTITY_DRIVER ?= 'sql'; variable OS_KEYSTONE_IDENTITY_LDAP_PARAMS ?= dict(); variable OS_KEYSTONE_TOKEN_AUTH_TYPE ?= 'password'; diff --git a/features/ceilometer/meters/nova/rpms/compute.pan b/features/ceilometer/meters/nova/rpms/compute.pan index b3e86b5..47d2d81 100644 --- a/features/ceilometer/meters/nova/rpms/compute.pan +++ b/features/ceilometer/meters/nova/rpms/compute.pan @@ -1,9 +1,7 @@ unique template features/ceilometer/meters/nova/rpms/compute; '/software/packages' = { - pkg_repl('openstack-ceilometer-compute'); - pkg_repl('python3-ceilometerclient'); - pkg_repl('python3-pecan'); + pkg_repl('openstack-ceilometer-compute'); - SELF; + SELF; }; diff --git a/features/ceilometer/rpms.pan b/features/ceilometer/rpms.pan index fc34cbe..5c1cb89 100644 --- a/features/ceilometer/rpms.pan +++ b/features/ceilometer/rpms.pan @@ -3,7 +3,6 @@ unique template features/ceilometer/rpms; '/software/packages' = { pkg_repl('openstack-ceilometer-notification'); pkg_repl('openstack-ceilometer-central'); - pkg_repl('python3-ceilometerclient'); openstack_add_httpd_packages( OS_CEILOMETER_CONTROLLER_PROTOCOL == 'https' ); SELF; diff --git a/features/glance/config.pan b/features/glance/config.pan index 04e5626..3d7b140 100644 --- a/features/glance/config.pan +++ b/features/glance/config.pan @@ -83,6 +83,12 @@ bind '/software/components/metaconfig/services/{/etc/glance/glance-api.conf}/con 'contents/DEFAULT/log_file' = OS_GLANCE_LOG_FILE; 'contents/DEFAULT/show_image_direct_url' = OS_COW_IMG_CLONING_ENABLED; 'contents/DEFAULT/show_multiple_locations' = OS_GLANCE_MULTIPLE_LOCATIONS; +'contents/DEFAULT/worker_self_reference_url' = format( + '%s://%s:%s', + OS_GLANCE_CONTROLLER_PROTOCOL, + OS_GLANCE_CONTROLLER_HOST, + OS_GLANCE_CONTROLLER_PORT +); 'contents/DEFAULT/workers' = OS_GLANCE_WORKERS_NUM; # [database] section diff --git a/features/keystone/client/config.pan b/features/keystone/client/config.pan index ccebafc..7182056 100644 --- a/features/keystone/client/config.pan +++ b/features/keystone/client/config.pan @@ -3,6 +3,8 @@ structure template features/keystone/client/config; 'auth_url' = format('%s://%s:35357', OS_KEYSTONE_CONTROLLER_PROTOCOL, OS_KEYSTONE_CONTROLLER_HOST); 'auth_type' = OS_KEYSTONE_TOKEN_AUTH_TYPE; 'auth_version' = 'v3'; +'enforce_scope' = OS_KEYSTONE_ENFORCE_SCOPE; +'enforce_new_defaults' = OS_KEYSTONE_ENFORCE_NEW_DEFAULTS; 'memcached_servers' = list('localhost:11211'); 'project_domain_id' = 'default'; 'user_domain_id' = 'default'; diff --git a/features/nova/compute/config.pan b/features/nova/compute/config.pan index d606a52..5425058 100644 --- a/features/nova/compute/config.pan +++ b/features/nova/compute/config.pan @@ -8,6 +8,22 @@ required = no } variable OS_NOVA_LIVE_MIGRATION_SITE_CONFIG ?= undef; +@{ +desc = max number of files that can be opened. Must be large enough when \ + the compute server has a large number of cores, to accomodate a large \ + number of VMs +values = long +default = 32 files / physical core (e.g. 4096 on a 128 physical core machine), with a minimum = 1024 +required = no +} +variable OS_NOVA_COMPUTE_MAX_FILES ?= { + nofile = value('/hardware/cpu/0/cores') * length(value('/hardware/cpu')) * 32; + # 1024 is the default value, do not set a lower value + if ( nofile < 1024 ) { + nofile = 1024; + }; + nofile; +}; variable OS_NODE_SERVICES = append('nova'); @@ -67,6 +83,7 @@ prefix '/software/components/systemd/unit'; 'libvirtd/startstop' = true; 'openstack-nova-compute/startstop' = true; +'openstack-nova-compute/file/config/service/LimitNOFILE' = OS_NOVA_COMPUTE_MAX_FILES; # Configuration file for nova include 'components/metaconfig/config'; diff --git a/features/octavia/config.pan b/features/octavia/config.pan index 2a76bdf..df2b01e 100644 --- a/features/octavia/config.pan +++ b/features/octavia/config.pan @@ -11,6 +11,9 @@ include 'types/openstack/octavia'; # Include general openstack variables include 'defaults/openstack/config'; +# Configure gunicorn +# 2024-03-17: Work in progress - not working yet +#include 'features/octavia/gunicorn/config'; @{ desc = password used to encrypt CA private key for both Octavia CAs @@ -18,7 +21,9 @@ values = string, 32 characters long default = none required = yes } -variable OS_OCTAVIA_CA_KEY_PASSWORD ?= error('You must define OS_OCTAVIA_CA_KEY_PASSWORD with the passaword to use when the Octavia CAs'); +variable OS_OCTAVIA_CA_KEY_PASSWORD ?= error( + 'You must define OS_OCTAVIA_CA_KEY_PASSWORD with the passaword to use when the Octavia CAs' +); variable OS_OCTAVIA_CA_KEY_PASSWORD = if ( length(OS_OCTAVIA_CA_KEY_PASSWORD) == 32 ) { SELF; } else { @@ -32,7 +37,9 @@ values = string (strong and long >= 20 characters) default = none required = yes } -variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD ?= error('You must define OS_OCTAVIA_AMPHORA_CERT_PASSWORD with the password to use when creating the Octavia CAs'); +variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD ?= error( + 'You must define OS_OCTAVIA_AMPHORA_CERT_PASSWORD with the password to use when creating the Octavia CAs' +); variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD = if ( length(OS_OCTAVIA_AMPHORA_CERT_PASSWORD) >= 20 ) { OS_OCTAVIA_AMPHORA_CERT_PASSWORD; } else { @@ -73,7 +80,9 @@ values = string default = none required = yes } -variable OS_OCTAVIA_SERVICE_SSH_KEY ?= error('You must define OS_OCTAVIA_SERVICE_SSH_KEY with the OpenStack name of the octavia user SSH key to use'); +variable OS_OCTAVIA_SERVICE_SSH_KEY ?= error( + 'You must define OS_OCTAVIA_SERVICE_SSH_KEY with the OpenStack name of the octavia user SSH key to use' +); # For the following parameters, default values should be appropriate @@ -137,7 +146,12 @@ bind '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/conte 'contents/controller_worker/client_ca' = format('%s/client_ca.cert.pem', OS_OCTAVIA_CA_CERT_DIR); # [database] section -'contents/database/connection' = format('mysql+pymysql://%s:%s@%s/octavia', OS_OCTAVIA_DB_USERNAME, OS_OCTAVIA_DB_PASSWORD, OS_OCTAVIA_DB_HOST); +'contents/database/connection' = format( + 'mysql+pymysql://%s:%s@%s/octavia', + OS_OCTAVIA_DB_USERNAME, + OS_OCTAVIA_DB_PASSWORD, + OS_OCTAVIA_DB_HOST +); # [haproxy_amphora] section 'contents/haproxy_amphora/client_cert' = format('%s/client.cert-and-key.pem', OS_OCTAVIA_CA_CERT_DIR); @@ -161,7 +175,9 @@ bind '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/conte 'contents/oslo_messaging_notifications' = openstack_load_config('features/oslo_messaging/notifications'); # [service_auth] section -'contents/service_auth' = value('/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/contents/keystone_authtoken'); +'contents/service_auth' = value( + '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/contents/keystone_authtoken' +); 'contents/service_auth/region_name' = null; 'contents/service_auth/www_authenticate_uri' = null; diff --git a/features/octavia/gunicorn/config.pan b/features/octavia/gunicorn/config.pan new file mode 100644 index 0000000..d29c142 --- /dev/null +++ b/features/octavia/gunicorn/config.pan @@ -0,0 +1,17 @@ +unique template features/octavia/gunicorn/config; + + +# Include gunicorn base configuration +include 'features/openstack/gunicorn/config'; + + +# Define gunicorn configuration for Octavia +include 'components/metaconfig/config'; +prefix '/software/components/metaconfig/services/{/etc/sysconfig/gunicorn.octavia}'; +'module' = 'tiny'; +# panlint disable=LP006 +bind '/software/components/metaconfig/services/{/etc/sysconfig/gunicorn.octavia}/contents' = openstack_gunicorn_sysconfig; + +'contents/GUNICORN_APP' = "\"'octavia.api.app:setup_app()'\""; +'contents/GUNICORN_APP_CONFIG' = '/var/lib/octavia/gunicorn_app.py'; +'contents/GUNICORN_APP_DIR' = '/etc/octavia'; diff --git a/features/openstack/gunicorn/config.pan b/features/openstack/gunicorn/config.pan new file mode 100644 index 0000000..94c7ca1 --- /dev/null +++ b/features/openstack/gunicorn/config.pan @@ -0,0 +1,10 @@ +unique template features/openstack/gunicorn/config; + +# Add gunicorn RPM +'/software/packages' = pkg_repl('python3-gunicorn'); + +# Load gunicorn sysconfig file schema +include 'features/openstack/gunicorn/sysconfig_schema'; + +# Define gunicorn template service +include 'features/openstack/gunicorn/gunicorn_service'; diff --git a/features/openstack/gunicorn/gunicorn_service.pan b/features/openstack/gunicorn/gunicorn_service.pan new file mode 100644 index 0000000..c61ced0 --- /dev/null +++ b/features/openstack/gunicorn/gunicorn_service.pan @@ -0,0 +1,34 @@ +# Add gunicorn service template to systemd configuration + +unique template features/openstack/gunicorn/gunicorn_service; + +variable GUNICORN_BIN ?= '/usr/bin/gunicorn'; +variable GUNICORN_PID_FILE = '/var/run/gunicorn.%i.pid'; + +include 'components/systemd/config'; + +'/software/components/systemd/skip/service' = false; + +# This is a template unit file +'/software/components/systemd/unit/{gunicorn@}/file/only' = true; +'/software/components/systemd/unit/{gunicorn@}/file/replace' = true; +'/software/components/systemd/unit/{gunicorn@}/startstop' = false; + +prefix '/software/components/systemd/unit/{gunicorn@}/file/config/unit'; +'Description' = 'gunicorn service %I'; + +prefix '/software/components/systemd/unit/{gunicorn@}/file/config/install'; +'WantedBy' = list('multi-user.target'); + +prefix '/software/components/systemd/unit/{gunicorn@}/file/config/service'; +'EnvironmentFile' = list('/etc/sysconfig/gunicorn.%i'); +# Use sh to run the command to avoid problems with quoting and allow correct parsing of GUNICORN_OPTIONS +'ExecStart' = format( + "/bin/sh -cv '%s --chdir ${GUNICORN_APP_DIR} --pid %s " + + "--config ${GUNICORN_APP_CONFIG} ${GUNICORN_OPTIONS} ${GUNICORN_APP}'", + GUNICORN_BIN, + GUNICORN_PID_FILE +); +'PIDFile' = GUNICORN_PID_FILE; +'Restart' = 'always'; +'SyslogIdentifier' = 'gunicorn'; diff --git a/features/openstack/gunicorn/sysconfig_schema.pan b/features/openstack/gunicorn/sysconfig_schema.pan new file mode 100644 index 0000000..b94b49f --- /dev/null +++ b/features/openstack/gunicorn/sysconfig_schema.pan @@ -0,0 +1,8 @@ +unique template features/openstack/gunicorn/sysconfig_schema; + +type openstack_gunicorn_sysconfig = { + 'GUNICORN_APP' : string + 'GUNICORN_APP_CONFIG' : absolute_file_path with match(SELF, '.*\.py') + 'GUNICORN_APP_DIR' : absolute_file_path + 'GUNICORN_OPTIONS' ? string +}; diff --git a/types/openstack/core.pan b/types/openstack/core.pan index 253aba1..cb4a141 100644 --- a/types/openstack/core.pan +++ b/types/openstack/core.pan @@ -75,6 +75,8 @@ type openstack_keystone_authtoken = { 'auth_url' : type_hostURI 'auth_type' : string 'auth_version' ? string + 'enforce_scope' ? boolean + 'enforce_new_defaults' ? boolean 'memcached_servers' ? type_hostport[] 'password' : string 'project_domain_id' ? string diff --git a/types/openstack/glance.pan b/types/openstack/glance.pan index 2a2a346..a4b469a 100644 --- a/types/openstack/glance.pan +++ b/types/openstack/glance.pan @@ -18,6 +18,7 @@ type openstack_glance_defaults = { 'public_endpoint' ? type_hostURI 'show_image_direct_url' ? boolean = false 'show_multiple_locations' ? boolean + 'worker_self_reference_url' ? type_hostURI 'workers' ? long };