quattor · jrha · Nov 8, 2024 · Nov 7, 2024
diff --git a/defaults/openstack/config.pan b/defaults/openstack/config.pan
@@ -118,12 +118,14 @@ variable OS_BARBICAN_DB_HOST ?= OS_DB_HOST;
 ##############################
 variable OS_KEYSTONE_CONTROLLER_PROTOCOL ?= 'http';
 variable OS_KEYSTONE_CONTROLLER_HOST ?= error('OS_KEYSTONE_CONTROLLER_HOST must be declared');
-variable OS_KEYSTONE_CONTROLLER_PORT ?= '35357';
+variable OS_KEYSTONE_CONTROLLER_TOKEN_PORT ?= '35357';
 variable OS_KEYSTONE_PUBLIC_CONTROLLER_HOST ?= OS_KEYSTONE_CONTROLLER_HOST;
-variable OS_KEYSTONE_PUBLIC_CONTROLLER_TOKEN_PORT ?= '5000';
+variable OS_KEYSTONE_PUBLIC_CONTROLLER_PORT ?= '5000';
 variable OS_KEYSTONE_DB_HOST ?= OS_DB_HOST;
 variable OS_KEYSTONE_DB_USERNAME ?= 'keystone';
 variable OS_KEYSTONE_DB_PASSWORD ?= 'KEYSTONE_DBPASS';
+variable OS_KEYSTONE_ENFORCE_SCOPE ?= null;
+variable OS_KEYSTONE_ENFORCE_NEW_DEFAULTS ?= OS_KEYSTONE_ENFORCE_SCOPE;
 variable OS_KEYSTONE_IDENTITY_DRIVER ?= 'sql';
 variable OS_KEYSTONE_IDENTITY_LDAP_PARAMS ?= dict();
 variable OS_KEYSTONE_TOKEN_AUTH_TYPE ?= 'password';

diff --git a/features/ceilometer/meters/nova/rpms/compute.pan b/features/ceilometer/meters/nova/rpms/compute.pan
@@ -1,9 +1,7 @@
 unique template features/ceilometer/meters/nova/rpms/compute;
 
 '/software/packages' = {
-   pkg_repl('openstack-ceilometer-compute');
-   pkg_repl('python3-ceilometerclient');
-   pkg_repl('python3-pecan');
+    pkg_repl('openstack-ceilometer-compute');
 
-   SELF;
+    SELF;
 };
diff --git a/features/ceilometer/rpms.pan b/features/ceilometer/rpms.pan
@@ -3,7 +3,6 @@ unique template features/ceilometer/rpms;
 '/software/packages' = {
     pkg_repl('openstack-ceilometer-notification');
     pkg_repl('openstack-ceilometer-central');
-    pkg_repl('python3-ceilometerclient');
     openstack_add_httpd_packages( OS_CEILOMETER_CONTROLLER_PROTOCOL == 'https' );
 
     SELF;

diff --git a/features/glance/config.pan b/features/glance/config.pan
@@ -83,6 +83,12 @@ bind '/software/components/metaconfig/services/{/etc/glance/glance-api.conf}/con
 'contents/DEFAULT/log_file' = OS_GLANCE_LOG_FILE;
 'contents/DEFAULT/show_image_direct_url' = OS_COW_IMG_CLONING_ENABLED;
 'contents/DEFAULT/show_multiple_locations' = OS_GLANCE_MULTIPLE_LOCATIONS;
+'contents/DEFAULT/worker_self_reference_url' = format(
+    '%s://%s:%s',
+    OS_GLANCE_CONTROLLER_PROTOCOL,
+    OS_GLANCE_CONTROLLER_HOST,
+    OS_GLANCE_CONTROLLER_PORT
+);
 'contents/DEFAULT/workers' = OS_GLANCE_WORKERS_NUM;
 
 # [database] section

diff --git a/features/keystone/client/config.pan b/features/keystone/client/config.pan
@@ -3,6 +3,8 @@ structure template features/keystone/client/config;
 'auth_url' = format('%s://%s:35357', OS_KEYSTONE_CONTROLLER_PROTOCOL, OS_KEYSTONE_CONTROLLER_HOST);
 'auth_type' = OS_KEYSTONE_TOKEN_AUTH_TYPE;
 'auth_version' = 'v3';
+'enforce_scope' = OS_KEYSTONE_ENFORCE_SCOPE;
+'enforce_new_defaults' = OS_KEYSTONE_ENFORCE_NEW_DEFAULTS;
 'memcached_servers' = list('localhost:11211');
 'project_domain_id' = 'default';
 'user_domain_id' = 'default';

diff --git a/features/nova/compute/config.pan b/features/nova/compute/config.pan
@@ -8,6 +8,22 @@ required = no
 }
 variable OS_NOVA_LIVE_MIGRATION_SITE_CONFIG ?= undef;
 
+@{
+desc = max number of files that can be opened. Must be large enough when \
+       the compute server has a large number of cores, to accomodate a large \
+       number of VMs
+values = long
+default = 32 files / physical core (e.g. 4096 on a 128 physical core machine), with a minimum = 1024
+required = no
+}
+variable OS_NOVA_COMPUTE_MAX_FILES ?= {
+    nofile = value('/hardware/cpu/0/cores') * length(value('/hardware/cpu')) * 32;
+    # 1024 is the default value, do not set a lower value
+    if ( nofile  < 1024 ) {
+        nofile = 1024;
+    };
+    nofile;
+};
 
 variable OS_NODE_SERVICES = append('nova');
 
@@ -67,6 +83,7 @@ prefix '/software/components/systemd/unit';
 'libvirtd/startstop' = true;
 'openstack-nova-compute/startstop' = true;
 
+'openstack-nova-compute/file/config/service/LimitNOFILE' = OS_NOVA_COMPUTE_MAX_FILES;
 
 # Configuration file for nova
 include 'components/metaconfig/config';

diff --git a/features/octavia/config.pan b/features/octavia/config.pan
@@ -11,14 +11,19 @@ include 'types/openstack/octavia';
 # Include general openstack variables
 include 'defaults/openstack/config';
 
+# Configure gunicorn
+# 2024-03-17: Work in progress - not working yet
+#include 'features/octavia/gunicorn/config';
 
 @{
 desc = password used to encrypt CA private key for both Octavia CAs
 values = string, 32 characters long
 default = none
 required = yes
 }
-variable OS_OCTAVIA_CA_KEY_PASSWORD ?= error('You must define OS_OCTAVIA_CA_KEY_PASSWORD with the passaword to use when the Octavia CAs');
+variable OS_OCTAVIA_CA_KEY_PASSWORD ?= error(
+    'You must define OS_OCTAVIA_CA_KEY_PASSWORD with the passaword to use when the Octavia CAs'
+);
 variable OS_OCTAVIA_CA_KEY_PASSWORD = if ( length(OS_OCTAVIA_CA_KEY_PASSWORD) == 32 ) {
     SELF;
 } else {
@@ -32,7 +37,9 @@ values = string (strong and long >= 20 characters)
 default = none
 required = yes
 }
-variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD ?= error('You must define OS_OCTAVIA_AMPHORA_CERT_PASSWORD with the password to use when creating the Octavia CAs');
+variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD ?= error(
+    'You must define OS_OCTAVIA_AMPHORA_CERT_PASSWORD with the password to use when creating the Octavia CAs'
+);
 variable OS_OCTAVIA_AMPHORA_CERT_PASSWORD = if ( length(OS_OCTAVIA_AMPHORA_CERT_PASSWORD) >= 20 ) {
     OS_OCTAVIA_AMPHORA_CERT_PASSWORD;
 } else {
@@ -73,7 +80,9 @@ values = string
 default = none
 required = yes
 }
-variable OS_OCTAVIA_SERVICE_SSH_KEY ?= error('You must define OS_OCTAVIA_SERVICE_SSH_KEY with the OpenStack name of the octavia user SSH key to use');
+variable OS_OCTAVIA_SERVICE_SSH_KEY ?= error(
+    'You must define OS_OCTAVIA_SERVICE_SSH_KEY with the OpenStack name of the octavia user SSH key to use'
+);
 
 
 # For the following parameters, default values should be appropriate
@@ -137,7 +146,12 @@ bind '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/conte
 'contents/controller_worker/client_ca' = format('%s/client_ca.cert.pem', OS_OCTAVIA_CA_CERT_DIR);
 
 # [database] section
-'contents/database/connection' = format('mysql+pymysql://%s:%s@%s/octavia', OS_OCTAVIA_DB_USERNAME, OS_OCTAVIA_DB_PASSWORD, OS_OCTAVIA_DB_HOST);
+'contents/database/connection' = format(
+    'mysql+pymysql://%s:%s@%s/octavia',
+    OS_OCTAVIA_DB_USERNAME,
+    OS_OCTAVIA_DB_PASSWORD,
+    OS_OCTAVIA_DB_HOST
+);
 
 # [haproxy_amphora] section
 'contents/haproxy_amphora/client_cert' = format('%s/client.cert-and-key.pem', OS_OCTAVIA_CA_CERT_DIR);
@@ -161,7 +175,9 @@ bind '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/conte
 'contents/oslo_messaging_notifications' = openstack_load_config('features/oslo_messaging/notifications');
 
 # [service_auth] section
-'contents/service_auth' = value('/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/contents/keystone_authtoken');
+'contents/service_auth' = value(
+    '/software/components/metaconfig/services/{/etc/octavia/octavia.conf}/contents/keystone_authtoken'
+);
 'contents/service_auth/region_name' = null;
 'contents/service_auth/www_authenticate_uri' = null;
 

diff --git a/features/octavia/gunicorn/config.pan b/features/octavia/gunicorn/config.pan
@@ -0,0 +1,17 @@
+unique template features/octavia/gunicorn/config;
+
+
+# Include gunicorn base configuration
+include 'features/openstack/gunicorn/config';
+
+
+# Define gunicorn configuration for Octavia
+include 'components/metaconfig/config';
+prefix '/software/components/metaconfig/services/{/etc/sysconfig/gunicorn.octavia}';
+'module' = 'tiny';
+# panlint disable=LP006
+bind '/software/components/metaconfig/services/{/etc/sysconfig/gunicorn.octavia}/contents' = openstack_gunicorn_sysconfig;
+
+'contents/GUNICORN_APP' = "\"'octavia.api.app:setup_app()'\"";
+'contents/GUNICORN_APP_CONFIG' = '/var/lib/octavia/gunicorn_app.py';
+'contents/GUNICORN_APP_DIR' = '/etc/octavia';
diff --git a/features/openstack/gunicorn/config.pan b/features/openstack/gunicorn/config.pan
@@ -0,0 +1,10 @@
+unique template features/openstack/gunicorn/config;
+
+# Add gunicorn RPM
+'/software/packages' = pkg_repl('python3-gunicorn');
+
+# Load gunicorn sysconfig file schema
+include 'features/openstack/gunicorn/sysconfig_schema';
+
+# Define gunicorn template service
+include 'features/openstack/gunicorn/gunicorn_service';
diff --git a/features/openstack/gunicorn/gunicorn_service.pan b/features/openstack/gunicorn/gunicorn_service.pan
@@ -0,0 +1,34 @@
+# Add gunicorn service template to systemd configuration
+
+unique template features/openstack/gunicorn/gunicorn_service;
+
+variable GUNICORN_BIN ?= '/usr/bin/gunicorn';
+variable GUNICORN_PID_FILE = '/var/run/gunicorn.%i.pid';
+
+include 'components/systemd/config';
+
+'/software/components/systemd/skip/service' = false;
+
+# This is a template unit file
+'/software/components/systemd/unit/{gunicorn@}/file/only' = true;
+'/software/components/systemd/unit/{gunicorn@}/file/replace' = true;
+'/software/components/systemd/unit/{gunicorn@}/startstop' = false;
+
+prefix '/software/components/systemd/unit/{gunicorn@}/file/config/unit';
+'Description' = 'gunicorn service %I';
+
+prefix '/software/components/systemd/unit/{gunicorn@}/file/config/install';
+'WantedBy' = list('multi-user.target');
+
+prefix '/software/components/systemd/unit/{gunicorn@}/file/config/service';
+'EnvironmentFile' = list('/etc/sysconfig/gunicorn.%i');
+# Use sh to run the command to avoid problems with quoting and allow correct parsing of GUNICORN_OPTIONS
+'ExecStart' = format(
+    "/bin/sh -cv '%s --chdir ${GUNICORN_APP_DIR} --pid %s " +
+    "--config ${GUNICORN_APP_CONFIG} ${GUNICORN_OPTIONS} ${GUNICORN_APP}'",
+    GUNICORN_BIN,
+    GUNICORN_PID_FILE
+);
+'PIDFile' = GUNICORN_PID_FILE;
+'Restart' = 'always';
+'SyslogIdentifier' = 'gunicorn';
diff --git a/features/openstack/gunicorn/sysconfig_schema.pan b/features/openstack/gunicorn/sysconfig_schema.pan
@@ -0,0 +1,8 @@
+unique template features/openstack/gunicorn/sysconfig_schema;
+
+type openstack_gunicorn_sysconfig = {
+    'GUNICORN_APP' : string
+    'GUNICORN_APP_CONFIG' : absolute_file_path with match(SELF, '.*\.py')
+    'GUNICORN_APP_DIR' : absolute_file_path
+    'GUNICORN_OPTIONS' ? string
+};
diff --git a/types/openstack/core.pan b/types/openstack/core.pan
@@ -75,6 +75,8 @@ type openstack_keystone_authtoken = {
     'auth_url' : type_hostURI
     'auth_type' : string
     'auth_version' ? string
+    'enforce_scope' ? boolean
+    'enforce_new_defaults' ? boolean
     'memcached_servers' ? type_hostport[]
     'password' : string
     'project_domain_id' ? string

diff --git a/types/openstack/glance.pan b/types/openstack/glance.pan
@@ -18,6 +18,7 @@ type openstack_glance_defaults = {
     'public_endpoint' ? type_hostURI
     'show_image_direct_url' ? boolean = false
     'show_multiple_locations' ? boolean
+    'worker_self_reference_url' ? type_hostURI
     'workers' ? long
 
 };