def create_vncproxy_manifest(config, messages):
if config["CONFIG_HORIZON_SSL"] == 'y':
if config["CONFIG_VNC_SSL_CERT"]:
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
if not os.path.exists(ssl_cert_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_cert_file)
if not os.path.exists(ssl_key_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_key_file)
final_cert = open(ssl_cert_file, 'rt').read()
final_key = open(ssl_key_file, 'rt').read()
deliver_ssl_file(final_cert, ssl_cert_file, config['CONFIG_CONTROLLER_HOST'])
deliver_ssl_file(final_key, ssl_key_file, config['CONFIG_CONTROLLER_HOST'])
else:
config["CONFIG_VNC_SSL_CERT"] = '/etc/pki/tls/certs/ssl_vnc.crt'
config["CONFIG_VNC_SSL_KEY"] = '/etc/pki/tls/private/ssl_vnc.key'
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'vnc'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
def create_manifest(config, messages):
if config["CONFIG_UNSUPPORTED"] != "y":
config["CONFIG_STORAGE_HOST"] = config["CONFIG_CONTROLLER_HOST"]
if config["CONFIG_AMQP_ENABLE_SSL"] == "y":
ssl_host = config["CONFIG_STORAGE_HOST"]
ssl_cert_file = config["CONFIG_MANILA_SSL_CERT"] = "/etc/pki/tls/certs/ssl_amqp_manila.crt"
ssl_key_file = config["CONFIG_MANILA_SSL_KEY"] = "/etc/pki/tls/private/ssl_amqp_manila.key"
service = "manila"
generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file)
# Change these from text to Boolean values
boolean_keys = ["CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS", "CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS"]
for key in [k for k in boolean_keys if k in config]:
if config[key].lower() == "true":
config[key] = True
elif config[key].lower() == "false":
config[key] = False
# manila API should be open for everyone
fw_details = dict()
key = "manila_api"
fw_details.setdefault(key, {})
fw_details[key]["host"] = "ALL"
fw_details[key]["service_name"] = "manila-api"
fw_details[key]["chain"] = "INPUT"
fw_details[key]["ports"] = ["8786"]
fw_details[key]["proto"] = "tcp"
config["FIREWALL_MANILA_API_RULES"] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_trove.crt'
)
ssl_key_file = config['CONFIG_TROVE_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_trove.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'trove'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
if (config['CONFIG_TROVE_NOVA_USER'] == 'trove' and
config['CONFIG_TROVE_NOVA_PW'] == ''):
config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_TROVE_KS_PW']
manifestfile = "%s_trove.pp" % config["CONFIG_CONTROLLER_HOST"]
manifestdata = getManifestTemplate(get_mq(config, "trove"))
manifestdata += getManifestTemplate('trove.pp')
fw_details = dict()
key = "trove"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "trove api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8779']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_TROVE_API_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_TROVE_API_RULES')
appendManifestFile(manifestfile, manifestdata, marker='trove')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_CONTROLLER_HOST']
ssl_cert_file = config['CONFIG_IRONIC_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ironic.crt'
)
ssl_key_file = config['CONFIG_IRONIC_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ironic.key'
)
service = 'ironic'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_ironic.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "ironic"))
manifestdata += getManifestTemplate("ironic.pp")
fw_details = dict()
key = "ironic-api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ironic-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6385']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_IRONIC_API_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_IRONIC_API_RULES')
appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST']
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_SAHARA_HOST']
ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_sahara.crt'
)
ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_sahara.key'
)
service = 'sahara'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "sahara-api"
fw_details.setdefault(key, {})
fw_details[key]["host"] = "ALL"
fw_details[key]["service_name"] = "sahara api"
fw_details[key]["chain"] = "INPUT"
fw_details[key]["ports"] = ["8386"]
fw_details[key]["proto"] = "tcp"
config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_trove.crt'
)
ssl_key_file = config['CONFIG_TROVE_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_trove.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'trove'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
if (config['CONFIG_TROVE_NOVA_USER'] == 'trove' and
config['CONFIG_TROVE_NOVA_PW'] == ''):
config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_TROVE_KS_PW']
fw_details = dict()
key = "trove"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "trove api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8779']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_TROVE_API_RULES'] = fw_details
def create_common_manifest(config, messages):
global compute_hosts, network_hosts
network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and 'neutron'
or 'nova')
network_multi = len(network_hosts) > 1
dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')])
dbacces_hosts |= network_hosts
for manifestfile, marker in manifestfiles.getFiles():
pw_in_sqlconn = False
if manifestfile.endswith("_nova.pp"):
host, manifest = manifestfile.split('_', 1)
host = host.strip()
if host in compute_hosts and host not in dbacces_hosts:
# we should omit password in case we are installing only
# nova-compute to the host
perms = "nova"
pw_in_sqlconn = False
else:
perms = "nova:%s" % config['CONFIG_NOVA_DB_PW']
pw_in_sqlconn = True
mariadb_host_url = config['CONFIG_MARIADB_HOST_URL']
sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url)
if pw_in_sqlconn:
config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn
else:
config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn
# for nova-network in multihost mode each compute host is metadata
# host otherwise we use api host
if (network_type == 'nova' and network_multi
and host in compute_hosts):
metadata = host
else:
metadata = config['CONFIG_CONTROLLER_HOST']
config['CONFIG_NOVA_METADATA_HOST'] = metadata
data = getManifestTemplate(get_mq(config, "nova_common"))
if pw_in_sqlconn:
data += getManifestTemplate("nova_common_pw")
else:
data += getManifestTemplate("nova_common_nopw")
# We need to have class nova before class nova::api, so prepend
# instead of append
prependManifestFile(os.path.split(manifestfile)[1], data)
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
nova_hosts = compute_hosts
nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')])
ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_nova.crt')
ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_nova.key')
service = 'nova'
for host in nova_hosts:
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
def create_manifest(config, messages):
manifestfile = "%s_aodh.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "aodh"))
manifestdata += getManifestTemplate("aodh")
manifestdata += getManifestTemplate("apache_ports")
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_AODH_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_aodh.crt')
ssl_key_file = config['CONFIG_AODH_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_aodh.key')
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'aodh'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "aodh_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "aodh-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8042']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_AODH_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_AODH_RULES')
appendManifestFile(manifestfile, manifestdata, 'aodh')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_CONTROLLER_HOST']
ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_heat.crt'
)
ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_heat.key'
)
service = 'heat'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "heat"))
manifestdata += getManifestTemplate("heat")
manifestdata += getManifestTemplate("keystone_heat")
fw_details = dict()
key = "heat"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "heat"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8004']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_HEAT_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_HEAT_RULES')
appendManifestFile(manifestfile, manifestdata, marker='heat')
def create_manifest(config, messages):
if config["CONFIG_AMQP_ENABLE_SSL"] == "y":
ssl_host = config["CONFIG_CONTROLLER_HOST"]
ssl_cert_file = config["CONFIG_HEAT_SSL_CERT"] = "/etc/pki/tls/certs/ssl_amqp_heat.crt"
ssl_key_file = config["CONFIG_HEAT_SSL_KEY"] = "/etc/pki/tls/private/ssl_amqp_heat.key"
service = "heat"
generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file)
manifestfile = "%s_heat.pp" % config["CONFIG_CONTROLLER_HOST"]
manifestdata = getManifestTemplate(get_mq(config, "heat"))
manifestdata += getManifestTemplate("heat")
manifestdata += getManifestTemplate("keystone_heat")
fw_details = dict()
key = "heat"
fw_details.setdefault(key, {})
fw_details[key]["host"] = "ALL"
fw_details[key]["service_name"] = "heat"
fw_details[key]["chain"] = "INPUT"
fw_details[key]["ports"] = ["8004"]
fw_details[key]["proto"] = "tcp"
config["FIREWALL_HEAT_RULES"] = fw_details
manifestdata += createFirewallResources("FIREWALL_HEAT_RULES")
appendManifestFile(manifestfile, manifestdata, marker="heat")
def create_vncproxy_manifest(config, messages):
if config["CONFIG_HORIZON_SSL"] == 'y':
if config["CONFIG_VNC_SSL_CERT"]:
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
if not os.path.exists(ssl_cert_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_cert_file)
if not os.path.exists(ssl_key_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_key_file)
final_cert = open(ssl_cert_file, 'rt').read()
final_key = open(ssl_key_file, 'rt').read()
deliver_ssl_file(final_cert, ssl_cert_file, config['CONFIG_CONTROLLER_HOST'])
deliver_ssl_file(final_key, ssl_key_file, config['CONFIG_CONTROLLER_HOST'])
else:
config["CONFIG_VNC_SSL_CERT"] = '/etc/pki/tls/certs/ssl_vnc.crt'
config["CONFIG_VNC_SSL_KEY"] = '/etc/pki/tls/private/ssl_vnc.key'
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'vnc'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
def create_manifest(config, messages):
manifestfile = "%s_aodh.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "aodh"))
manifestdata += getManifestTemplate("aodh")
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_AODH_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_aodh.crt'
)
ssl_key_file = config['CONFIG_AODH_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_aodh.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'aodh'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "aodh_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "aodh-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8042']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_AODH_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_AODH_RULES')
appendManifestFile(manifestfile, manifestdata, 'aodh')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_SAHARA_HOST']
ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_sahara.crt'
)
ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_sahara.key'
)
service = 'sahara'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_sahara.pp" % config['CONFIG_STORAGE_HOST']
manifestdata = getManifestTemplate(get_mq(config, "sahara"))
manifestdata += getManifestTemplate("sahara.pp")
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
manifestdata += getManifestTemplate('sahara_ceilometer')
fw_details = dict()
key = "sahara-api"
fw_details.setdefault(key, {})
fw_details[key]["host"] = "ALL"
fw_details[key]["service_name"] = "sahara api"
fw_details[key]["chain"] = "INPUT"
fw_details[key]["ports"] = ["8386"]
fw_details[key]["proto"] = "tcp"
config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
manifestdata += createFirewallResources("FIREWALL_SAHARA_CFN_RULES")
appendManifestFile(manifestfile, manifestdata, marker='sahara')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_glance.crt'
)
ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_glance.key'
)
service = 'glance'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST']
manifestdata = getManifestTemplate("glance")
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
mq_template = get_mq(config, "glance_ceilometer")
manifestdata += getManifestTemplate(mq_template)
fw_details = dict()
key = "glance_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "glance"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9292']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_GLANCE_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_GLANCE_RULES')
appendManifestFile(manifestfile, manifestdata)
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_CONTROLLER_HOST']
ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_heat.crt')
ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_heat.key')
service = 'heat'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "heat"))
manifestdata += getManifestTemplate("heat")
manifestdata += getManifestTemplate("keystone_heat")
fw_details = dict()
key = "heat"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "heat"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8004']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_HEAT_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_HEAT_RULES')
appendManifestFile(manifestfile, manifestdata, marker='heat')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_glance.crt')
ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_glance.key')
service = 'glance'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST']
manifestdata = getManifestTemplate("glance")
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
mq_template = get_mq(config, "glance_ceilometer")
manifestdata += getManifestTemplate(mq_template)
fw_details = dict()
key = "glance_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "glance"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9292']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_GLANCE_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_GLANCE_RULES')
appendManifestFile(manifestfile, manifestdata)
def create_common_manifest(config, messages):
global compute_hosts, network_hosts
network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and
'neutron' or 'nova')
network_multi = len(network_hosts) > 1
dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')])
dbacces_hosts |= network_hosts
for manifestfile, marker in manifestfiles.getFiles():
pw_in_sqlconn = False
if manifestfile.endswith("_nova.pp"):
host, manifest = manifestfile.split('_', 1)
host = host.strip()
if host in compute_hosts and host not in dbacces_hosts:
# we should omit password in case we are installing only
# nova-compute to the host
perms = "nova"
pw_in_sqlconn = False
else:
perms = "nova:%s" % config['CONFIG_NOVA_DB_PW']
pw_in_sqlconn = True
mariadb_host_url = config['CONFIG_MARIADB_HOST_URL']
sqlconn = "mysql://%s@%s/nova" % (perms, mariadb_host_url)
if pw_in_sqlconn:
config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn
else:
config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn
# for nova-network in multihost mode each compute host is metadata
# host otherwise we use api host
if (network_type == 'nova' and network_multi and
host in compute_hosts):
metadata = host
else:
metadata = config['CONFIG_CONTROLLER_HOST']
config['CONFIG_NOVA_METADATA_HOST'] = metadata
data = getManifestTemplate(get_mq(config, "nova_common"))
if pw_in_sqlconn:
data += getManifestTemplate("nova_common_pw")
else:
data += getManifestTemplate("nova_common_nopw")
appendManifestFile(os.path.split(manifestfile)[1], data)
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
nova_hosts = compute_hosts
nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')])
ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_nova.crt'
)
ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_nova.key'
)
service = 'nova'
for host in nova_hosts:
generate_ssl_cert(config, host, service,
ssl_key_file, ssl_cert_file)
def create_manifest(config, messages):
manifestfile = "%s_ceilometer.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "ceilometer"))
manifestdata += getManifestTemplate("ceilometer")
if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis':
# Determine if we need to configure multiple sentinel hosts as
# fallbacks for use in coordination url.
sentinel_hosts = split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS'])
sentinel_port = config['CONFIG_REDIS_SENTINEL_PORT']
sentinel_host = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
if config['CONFIG_IP_VERSION'] == 'ipv6':
config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = "[%s]" % (
sentinel_host)
else:
config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = sentinel_host
sentinel_contact = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
if len(sentinel_hosts) > 1:
sentinel_format = 'sentinel_fallback=%s:%s'
if config['CONFIG_IP_VERSION'] == 'ipv6':
sentinel_format = 'sentinel_fallback=[%s]:%s'
sentinel_fallbacks = '&'.join([sentinel_format %
(host, sentinel_port)
for host in sentinel_hosts
if host != sentinel_contact])
else:
sentinel_fallbacks = ''
config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "ceilometer_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ceilometer-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8777']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CEILOMETER_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_CEILOMETER_RULES')
# Add a template that creates a group for nova because the ceilometer
# class needs it
if config['CONFIG_NOVA_INSTALL'] == 'n':
manifestdata += getManifestTemplate("ceilometer_nova_disabled")
appendManifestFile(manifestfile, manifestdata, 'ceilometer')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_cinder.crt'
)
ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_cinder.key'
)
service = 'cinder'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
manifestdata = getManifestTemplate(get_mq(config, "cinder"))
manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST']
manifestdata += getManifestTemplate("cinder")
for backend in config['CONFIG_CINDER_BACKEND']:
manifestdata += getManifestTemplate('cinder_%s' % backend)
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
manifestdata += getManifestTemplate('cinder_ceilometer')
if config['CONFIG_SWIFT_INSTALL'] == 'y':
manifestdata += getManifestTemplate('cinder_backup')
fw_details = dict()
for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
if (config['CONFIG_NOVA_INSTALL'] == 'y' and
config['CONFIG_VMWARE_BACKEND'] == 'n'):
key = "cinder_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % host
else:
key = "cinder_all"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['3260']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_CINDER_RULES')
# cinder API should be open for everyone
fw_details = dict()
key = "cinder_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8776']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_API_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_CINDER_API_RULES')
appendManifestFile(manifestfile, manifestdata)
def create_manifest(config, messages):
manifestfile = "%s_ceilometer.pp" % config['CONFIG_CONTROLLER_HOST']
manifestdata = getManifestTemplate(get_mq(config, "ceilometer"))
manifestdata += getManifestTemplate("ceilometer")
if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis':
# Determine if we need to configure multiple sentinel hosts as
# fallbacks for use in coordination url.
sentinel_hosts = split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS'])
sentinel_port = config['CONFIG_REDIS_SENTINEL_PORT']
sentinel_host = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
if config['CONFIG_IP_VERSION'] == 'ipv6':
config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = "[%s]" % (
sentinel_host)
else:
config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = sentinel_host
sentinel_contact = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST']
if len(sentinel_hosts) > 1:
sentinel_format = 'sentinel_fallback=%s:%s'
if config['CONFIG_IP_VERSION'] == 'ipv6':
sentinel_format = 'sentinel_fallback=[%s]:%s'
sentinel_fallbacks = '&'.join([
sentinel_format % (host, sentinel_port)
for host in sentinel_hosts if host != sentinel_contact
])
else:
sentinel_fallbacks = ''
config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt')
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key')
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "ceilometer_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ceilometer-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8777']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CEILOMETER_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_CEILOMETER_RULES')
# Add a template that creates a group for nova because the ceilometer
# class needs it
if config['CONFIG_NOVA_INSTALL'] == 'n':
manifestdata += getManifestTemplate("ceilometer_nova_disabled")
appendManifestFile(manifestfile, manifestdata, 'ceilometer')
def create_common_manifest(config, messages):
global compute_hosts, network_hosts
network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and
'neutron' or 'nova')
network_multi = len(network_hosts) > 1
dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')])
dbacces_hosts |= network_hosts
for host in filtered_hosts(config):
pw_in_sqlconn = False
host = host.strip()
if host in compute_hosts and host not in dbacces_hosts:
# we should omit password in case we are installing only
# nova-compute to the host
perms = "nova"
pw_in_sqlconn = False
else:
perms = "nova:%s" % config['CONFIG_NOVA_DB_PW']
pw_in_sqlconn = True
mariadb_host_url = config['CONFIG_MARIADB_HOST_URL']
sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url)
if pw_in_sqlconn:
config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn
else:
config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn
# for nova-network in multihost mode each compute host is metadata
# host otherwise we use api host
if (network_type == 'nova' and network_multi and
host in compute_hosts):
metadata = host
else:
metadata = config['CONFIG_CONTROLLER_HOST']
config['CONFIG_NOVA_METADATA_HOST'] = metadata
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
nova_hosts = compute_hosts
nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')])
ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_nova.crt'
)
ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_nova.key'
)
service = 'nova'
for host in nova_hosts:
generate_ssl_cert(config, host, service,
ssl_key_file, ssl_cert_file)
def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_manila.crt'
)
ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_manila.key'
)
service = 'manila'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
# Change these from text to Boolean values
boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS',
'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS']
for key in [k for k in boolean_keys if k in config]:
if config[key].lower() == "true":
config[key] = True
elif config[key].lower() == "false":
config[key] = False
manifestdata = getManifestTemplate(get_mq(config, "manila"))
manifestfile = "%s_manila.pp" % config['CONFIG_STORAGE_HOST']
manifestdata += getManifestTemplate("manila.pp")
manifestdata += getManifestTemplate("manila_network.pp")
backends = config['CONFIG_MANILA_BACKEND']
for backend in backends:
manifestdata += getManifestTemplate('manila_%s.pp' % backend)
# manila API should be open for everyone
fw_details = dict()
key = "manila_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "manila-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8786']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_MANILA_API_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_MANILA_API_RULES')
appendManifestFile(manifestfile, manifestdata, marker='manila')
def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_manila.crt')
ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_manila.key')
service = 'manila'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
# Change these from text to Boolean values
boolean_keys = [
'CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS',
'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS'
]
for key in [k for k in boolean_keys if k in config]:
if config[key].lower() == "true":
config[key] = True
elif config[key].lower() == "false":
config[key] = False
manifestdata = getManifestTemplate(get_mq(config, "manila"))
manifestfile = "%s_manila.pp" % config['CONFIG_STORAGE_HOST']
manifestdata += getManifestTemplate("manila.pp")
manifestdata += getManifestTemplate("manila_network.pp")
backends = config['CONFIG_MANILA_BACKEND']
for backend in backends:
manifestdata += getManifestTemplate('manila_%s.pp' % backend)
# manila API should be open for everyone
fw_details = dict()
key = "manila_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "manila-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8786']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_MANILA_API_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_MANILA_API_RULES')
appendManifestFile(manifestfile, manifestdata, marker='manila')
def create_manifest(config, messages):
server = utils.ScriptRunner(config['CONFIG_AMQP_HOST'])
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
config['CONFIG_AMQP_SSL_ENABLED'] = True
config['CONFIG_AMQP_PROTOCOL'] = 'ssl'
config['CONFIG_AMQP_CLIENTS_PORT'] = "5671"
amqp_host = config['CONFIG_AMQP_HOST']
service = 'AMQP'
ssl_key_file = '/etc/pki/tls/private/ssl_amqp.key'
ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp.crt'
cacert = config['CONFIG_AMQP_SSL_CACERT_FILE'] = (
config['CONFIG_SSL_CACERT']
)
generate_ssl_cert(config, amqp_host, service, ssl_key_file,
ssl_cert_file)
else:
# Set default values
config['CONFIG_AMQP_CLIENTS_PORT'] = "5672"
config['CONFIG_AMQP_SSL_ENABLED'] = False
config['CONFIG_AMQP_PROTOCOL'] = 'tcp'
if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n':
config['CONFIG_AMQP_AUTH_PASSWORD'] = '******'
config['CONFIG_AMQP_AUTH_USER'] = '******'
manifestfile = "%s_amqp.pp" % config['CONFIG_AMQP_HOST']
manifestdata = getManifestTemplate('amqp')
if config['CONFIG_IP_VERSION'] == 'ipv6':
config['CONFIG_AMQP_HOST_URL'] = "[%s]" % config['CONFIG_AMQP_HOST']
else:
config['CONFIG_AMQP_HOST_URL'] = config['CONFIG_AMQP_HOST']
fw_details = dict()
# All hosts should be able to talk to amqp
for host in filtered_hosts(config, exclude=False):
key = "amqp_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % host
fw_details[key]['service_name'] = "amqp"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5671', '5672']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_AMQP_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_AMQP_RULES')
appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages):
server = utils.ScriptRunner(config['CONFIG_AMQP_HOST'])
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
config['CONFIG_AMQP_SSL_ENABLED'] = True
config['CONFIG_AMQP_PROTOCOL'] = 'ssl'
config['CONFIG_AMQP_CLIENTS_PORT'] = "5671"
amqp_host = config['CONFIG_AMQP_HOST']
service = 'AMQP'
ssl_key_file = '/etc/pki/tls/private/ssl_amqp.key'
ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp.crt'
cacert = config['CONFIG_AMQP_SSL_CACERT_FILE'] = (
config['CONFIG_SSL_CACERT'])
generate_ssl_cert(config, amqp_host, service, ssl_key_file,
ssl_cert_file)
else:
# Set default values
config['CONFIG_AMQP_CLIENTS_PORT'] = "5672"
config['CONFIG_AMQP_SSL_ENABLED'] = False
config['CONFIG_AMQP_PROTOCOL'] = 'tcp'
if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n':
config['CONFIG_AMQP_AUTH_PASSWORD'] = '******'
config['CONFIG_AMQP_AUTH_USER'] = '******'
manifestfile = "%s_amqp.pp" % config['CONFIG_AMQP_HOST']
manifestdata = getManifestTemplate('amqp')
if config['CONFIG_IP_VERSION'] == 'ipv6':
config['CONFIG_AMQP_HOST_URL'] = "[%s]" % config['CONFIG_AMQP_HOST']
else:
config['CONFIG_AMQP_HOST_URL'] = config['CONFIG_AMQP_HOST']
fw_details = dict()
# All hosts should be able to talk to amqp
for host in filtered_hosts(config, exclude=False):
key = "amqp_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % host
fw_details[key]['service_name'] = "amqp"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5671', '5672']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_AMQP_RULES'] = fw_details
manifestdata += createFirewallResources('FIREWALL_AMQP_RULES')
appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_cinder.crt'
)
ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_cinder.key'
)
service = 'cinder'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
if (config['CONFIG_NOVA_INSTALL'] == 'y' and
config['CONFIG_VMWARE_BACKEND'] == 'n'):
key = "cinder_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % host
else:
key = "cinder_all"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['3260']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_RULES'] = fw_details
# cinder API should be open for everyone
fw_details = dict()
key = "cinder_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8776']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_API_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_cinder.crt'
)
ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_cinder.key'
)
service = 'cinder'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
if (config['CONFIG_NOVA_INSTALL'] == 'y' and
config['CONFIG_VMWARE_BACKEND'] == 'n'):
key = "cinder_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % host
else:
key = "cinder_all"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['3260']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_RULES'] = fw_details
# cinder API should be open for everyone
fw_details = dict()
key = "cinder_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "cinder-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8776']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CINDER_API_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_CONTROLLER_HOST']
ssl_cert_file = config['CONFIG_IRONIC_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ironic.crt')
ssl_key_file = config['CONFIG_IRONIC_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ironic.key')
service = 'ironic'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "ironic-api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ironic-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6385']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_IRONIC_API_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt')
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key')
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "ceilometer_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ceilometer-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8777']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_CEILOMETER_RULES'] = fw_details
def create_all_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_MAGNUM_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_magnum.crt'
)
ssl_key_file = config['CONFIG_MAGNUM_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_magnum.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'magnum'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "magnum"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "magnum api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9511']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_MAGNUM_API_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_glance.crt'
)
ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_glance.key'
)
service = 'glance'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "glance_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "glance"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9292']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_GLANCE_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_CONTROLLER_HOST']
ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_heat.crt'
)
ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_heat.key'
)
service = 'heat'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "heat"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "heat"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8004']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_HEAT_RULES'] = fw_details
def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST']
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_SAHARA_HOST']
ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_sahara.crt')
ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_sahara.key')
service = 'sahara'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "sahara-api"
fw_details.setdefault(key, {})
fw_details[key]["host"] = "ALL"
fw_details[key]["service_name"] = "sahara api"
fw_details[key]["chain"] = "INPUT"
fw_details[key]["ports"] = ["8386"]
fw_details[key]["proto"] = "tcp"
config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_host = config['CONFIG_STORAGE_HOST']
ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_manila.crt'
)
ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_manila.key'
)
service = 'manila'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
# Change these from text to Boolean values
boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS',
'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS']
for key in [k for k in boolean_keys if k in config]:
if config[key].lower() == "true":
config[key] = True
elif config[key].lower() == "false":
config[key] = False
# manila API should be open for everyone
fw_details = dict()
key = "manila_api"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "manila-api"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['8786']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_MANILA_API_RULES'] = fw_details
def create_manifests(config, messages):
global q_hosts
service_plugins = ['qos', 'trunk']
service_providers = []
if config['CONFIG_LBAAS_INSTALL'] == 'y':
lbaas_plugin = ('neutron_lbaas.services.loadbalancer.plugin.'
'LoadBalancerPluginv2')
service_plugins.append(lbaas_plugin)
lbaas_sp = ('LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.'
'plugin_driver.HaproxyOnHostPluginDriver:default')
service_providers.append(lbaas_sp)
if use_ml2_with_ovn(config):
service_plugins.append('ovn-router')
else:
# ML2 uses the L3 Router service plugin to implement l3 agent for linuxbridge and ovs
service_plugins.append('router')
if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y':
service_plugins.append('metering')
if config['CONFIG_NEUTRON_FWAAS'] == 'y':
service_plugins.append('firewall_v2')
fwaas_sp = (
'FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.'
'service_drivers.agents.agents.FirewallAgentDriver:default')
service_providers.append(fwaas_sp)
if config['CONFIG_NEUTRON_VPNAAS'] == 'y':
service_plugins.append('vpnaas')
vpnaas_sp = ('VPN:libreswan:neutron_vpnaas.services.vpn.'
'service_drivers.ipsec.IPsecVPNDriver:default')
service_providers.append(vpnaas_sp)
config['SERVICE_PLUGINS'] = (service_plugins
if service_plugins else 'undef')
config['SERVICE_PROVIDERS'] = (service_providers
if service_providers else [])
config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall."
"OVSHybridIptablesFirewallDriver")
plugin_manifest = 'neutron_ml2_plugin'
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_neutron.crt')
ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_neutron.key')
service = 'neutron'
for host in q_hosts:
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
if host in api_hosts:
# Firewall
fw_details = dict()
key = "neutron_server_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "neutron server"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9696']
fw_details[key]['proto'] = "tcp"
if use_ml2_with_ovn(config):
key = "ovn_northd_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ovn northd"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6641']
fw_details[key]['proto'] = "tcp"
key = "ovn_southd_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ovn southd"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6642']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details
# We also need to open VXLAN/GRE port for agent
if (use_openvswitch_vxlan(config) or use_openvswitch_gre(config)
or use_ovn_geneve(config)):
if config['CONFIG_IP_VERSION'] == 'ipv6':
msg = output_messages.WARN_IPV6_OVS
messages.append(utils.color_text(msg % host, 'red'))
fw_details = dict()
if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']):
tunnel_subnets = map(
str.strip,
config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(','))
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" %
host.replace('.', '_'))
for subnet in tunnel_subnets:
tunnel_fw_details(config, host, subnet, fw_details)
config[cf_fw_nt_key] = fw_details
else:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" %
host.replace('.', '_'))
for n_host in network_hosts | compute_hosts:
if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']:
if config['CONFIG_USE_SUBNETS'] == 'y':
iface = common.cidr_to_ifname(
config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host,
config)
else:
iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF']
ifip = ("ipaddress_%s" % iface)
ifip = re.sub('[\.\-\:]', '_', ifip)
try:
src_host = config['HOST_DETAILS'][n_host][ifip]
except KeyError:
raise KeyError('Couldn\'t detect ipaddress of '
'interface %s on node %s' %
(iface, n_host))
else:
src_host = n_host
tunnel_fw_details(config, host, src_host, fw_details)
config[cf_fw_nt_key] = fw_details
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
if migrate_protocol == 'ssh':
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+ssh://nova@%s/system?no_verify=1&'
'keyfile=/etc/nova/ssh/nova_migration_key'
)
else:
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+tcp://nova@%s/system'
)
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
if config['CONFIG_VMWARE_BACKEND'] == 'y':
vcenters = [i.strip() for i in
config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',')
if i.strip()]
if not vcenters:
raise exceptions.ParamValidationError(
"Please specify at least one VMware vCenter cluster in"
" CONFIG_VCENTER_CLUSTER_NAMES"
)
if len(vcenters) != len(compute_hosts):
if len(vcenters) > 1:
raise exceptions.ParamValidationError(
"Number of vmware clusters %s is not same"
" as number of nova computes %s", (vcenters, compute_hosts)
)
else:
vcenters = len(compute_hosts) * [vcenters[0]]
vmware_clusters = dict(zip(compute_hosts, vcenters))
config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters
for host in compute_hosts:
if config['CONFIG_IRONIC_INSTALL'] == 'y':
cm = 'ironic.nova.compute.manager.ClusteredComputeManager'
config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm
fw_details = dict()
cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
if config['CONFIG_NEUTRON_INSTALL'] != 'y':
key = 'CONFIG_NOVA_COMPUTE_PRIVIF'
if not config[key].strip():
config[key] = dummy_interface(host)
if config['CONFIG_USE_SUBNETS'] == 'y':
netface = common.cidr_to_ifname(
config[key], host, config
)
else:
netface = config[key]
check_ifcfg(host, netface)
try:
bring_up_ifcfg(host, netface)
except exceptions.ScriptRuntimeError as ex:
# just warn user to do it by himself
messages.append(str(ex))
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
if migrate_protocol == 'ssh':
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+ssh://nova@%s/system?no_verify=1&'
'keyfile=/etc/nova/ssh/nova_migration_key'
)
else:
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+tcp://nova@%s/system'
)
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
if config['CONFIG_VMWARE_BACKEND'] == 'y':
vcenters = [i.strip() for i in
config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',')
if i.strip()]
if not vcenters:
raise exceptions.ParamValidationError(
"Please specify at least one VMware vCenter cluster in"
" CONFIG_VCENTER_CLUSTER_NAMES"
)
if len(vcenters) != len(compute_hosts):
if len(vcenters) > 1:
raise exceptions.ParamValidationError(
"Number of vmware clusters %s is not same"
" as number of nova computes %s", (vcenters, compute_hosts)
)
else:
vcenters = len(compute_hosts) * [vcenters[0]]
vmware_clusters = dict(zip(compute_hosts, vcenters))
config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters
for host in compute_hosts:
if config['CONFIG_IRONIC_INSTALL'] == 'y':
cm = 'ironic.nova.compute.manager.ClusteredComputeManager'
config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm
fw_details = dict()
cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
if config['CONFIG_NEUTRON_INSTALL'] != 'y':
key = 'CONFIG_NOVA_COMPUTE_PRIVIF'
if not config[key].strip():
config[key] = dummy_interface(host)
if config['CONFIG_USE_SUBNETS'] == 'y':
netface = common.cidr_to_ifname(
config[key], host, config
)
else:
netface = config[key]
check_ifcfg(host, netface)
try:
bring_up_ifcfg(host, netface)
except exceptions.ScriptRuntimeError as ex:
# just warn user to do it by himself
messages.append(str(ex))
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifest(config, messages):
horizon_host = config['CONFIG_CONTROLLER_HOST']
manifestfile = "%s_horizon.pp" % horizon_host
proto = "http"
config["CONFIG_HORIZON_PORT"] = 80
sslmanifestdata = ''
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_HORIZON_PORT"] = 443
proto = "https"
# Are we using the users cert/key files
if config["CONFIG_HORIZON_SSL_CERT"]:
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"]
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"]
ssl_chain_file = config["CONFIG_HORIZON_SSL_CACERT"]
if not os.path.exists(ssl_cert_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_cert_file)
if not os.path.exists(ssl_key_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_key_file)
if not os.path.exists(ssl_chain_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_chain_file)
final_cert = open(ssl_cert_file, 'rt').read()
final_key = open(ssl_key_file, 'rt').read()
final_cacert = open(ssl_chain_file, 'rt').read()
host = config['CONFIG_CONTROLLER_HOST']
deliver_ssl_file(final_cacert, ssl_chain_file, host)
deliver_ssl_file(final_cert, ssl_cert_file, host)
deliver_ssl_file(final_key, ssl_key_file, host)
else:
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] = (
'/etc/pki/tls/certs/ssl_dashboard.crt')
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] = (
'/etc/pki/tls/private/ssl_dashboard.key')
cacert = config['CONFIG_SSL_CACERT']
config["CONFIG_HORIZON_SSL_CACERT"] = cacert
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'dashboard'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
messages.append(
"%sNOTE%s : A certificate was generated to be used for ssl, "
"You should change the ssl certificate configured in "
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert." %
(utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host))
config["CONFIG_HORIZON_NEUTRON_LB"] = False
config["CONFIG_HORIZON_NEUTRON_FW"] = False
config["CONFIG_HORIZON_NEUTRON_VPN"] = False
if config['CONFIG_NEUTRON_INSTALL'] == 'y':
if config["CONFIG_LBAAS_INSTALL"] == 'y':
config["CONFIG_HORIZON_NEUTRON_LB"] = True
if config["CONFIG_NEUTRON_FWAAS"] == 'y':
config["CONFIG_HORIZON_NEUTRON_FW"] = True
if config["CONFIG_NEUTRON_VPNAAS"] == 'y':
config["CONFIG_HORIZON_NEUTRON_VPN"] = True
manifestdata = getManifestTemplate("horizon")
appendManifestFile(manifestfile, manifestdata)
msg = ("To access the OpenStack Dashboard browse to %s://%s/dashboard .\n"
"Please, find your login credentials stored in the keystonerc_admin"
" in your home directory." %
(proto, config['CONFIG_CONTROLLER_HOST']))
messages.append(msg)
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
if migrate_protocol == 'ssh':
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+ssh://nova@%s/system?no_verify=1&'
'keyfile=/etc/nova/ssh/nova_migration_key'
)
else:
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+tcp://nova@%s/system'
)
ssh_hostkeys = ''
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
ssh_hostkeys += getManifestTemplate("sshkey")
for host in compute_hosts:
if config['CONFIG_IRONIC_INSTALL'] == 'y':
cm = 'ironic.nova.compute.manager.ClusteredComputeManager'
config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm
manifestdata = getManifestTemplate("nova_compute")
fw_details = dict()
cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
manifestdata += createFirewallResources(cf_fw_qemu_mig_key)
if config['CONFIG_VMWARE_BACKEND'] == 'y':
manifestdata += getManifestTemplate("nova_compute_vmware.pp")
elif config['CONFIG_IRONIC_INSTALL'] == 'y':
manifestdata += getManifestTemplate("nova_compute_ironic.pp")
else:
manifestdata += getManifestTemplate("nova_compute_libvirt.pp")
if (config['CONFIG_VMWARE_BACKEND'] != 'y' and
config['CONFIG_CINDER_INSTALL'] == 'y' and
'gluster' in config['CONFIG_CINDER_BACKEND']):
manifestdata += getManifestTemplate("nova_gluster")
if (config['CONFIG_VMWARE_BACKEND'] != 'y' and
config['CONFIG_CINDER_INSTALL'] == 'y' and
'nfs' in config['CONFIG_CINDER_BACKEND']):
manifestdata += getManifestTemplate("nova_nfs")
manifestfile = "%s_nova.pp" % host
if config['CONFIG_NEUTRON_INSTALL'] != 'y':
if host not in network_hosts:
manifestdata += getManifestTemplate('nova_compute_flat')
if config['CONFIG_USE_SUBNETS'] == 'y':
netface = common.cidr_to_ifname(
config['CONFIG_NOVA_COMPUTE_PRIVIF'], host, config
)
else:
netface = config['CONFIG_NOVA_COMPUTE_PRIVIF']
check_ifcfg(host, netface)
try:
bring_up_ifcfg(host, netface)
except ScriptRuntimeError as ex:
# just warn user to do it by himself
messages.append(str(ex))
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
mq_template = get_mq(config, "nova_ceilometer")
manifestdata += getManifestTemplate(mq_template)
manifestdata += getManifestTemplate("nova_ceilometer")
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
manifestdata += "\n" + createFirewallResources(
'FIREWALL_NOVA_COMPUTE_RULES'
)
manifestdata += "\n" + ssh_hostkeys
appendManifestFile(manifestfile, manifestdata)
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
config["CONFIG_NOVA_ALLOW_RESIZE_TO_SAME"] = len(compute_hosts) == 1
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
if config['CONFIG_VMWARE_BACKEND'] == 'y':
vcenters = [i.strip() for i in
config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',')
if i.strip()]
if not vcenters:
raise exceptions.ParamValidationError(
"Please specify at least one VMware vCenter cluster in"
" CONFIG_VCENTER_CLUSTER_NAMES"
)
if len(vcenters) != len(compute_hosts):
if len(vcenters) > 1:
raise exceptions.ParamValidationError(
"Number of vmware clusters %s is not same"
" as number of nova computes %s", (vcenters, compute_hosts)
)
else:
vcenters = len(compute_hosts) * [vcenters[0]]
vmware_clusters = dict(zip(compute_hosts, vcenters))
config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters
for host in compute_hosts:
fw_details = dict()
cf_fw_qemu_mig_key = ("FIREWALL_NOVA_QEMU_MIG_RULES_%s" %
host.replace('.', '_'))
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifest(config, messages):
horizon_host = config['CONFIG_CONTROLLER_HOST']
manifestfile = "%s_horizon.pp" % horizon_host
proto = "http"
config["CONFIG_HORIZON_PORT"] = 80
sslmanifestdata = ''
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_HORIZON_PORT"] = 443
proto = "https"
# Are we using the users cert/key files
if config["CONFIG_HORIZON_SSL_CERT"]:
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"]
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"]
ssl_chain_file = config["CONFIG_HORIZON_SSL_CACERT"]
if not os.path.exists(ssl_cert_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_cert_file)
if not os.path.exists(ssl_key_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_key_file)
if not os.path.exists(ssl_chain_file):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_chain_file)
final_cert = open(ssl_cert_file, 'rt').read()
final_key = open(ssl_key_file, 'rt').read()
final_cacert = open(ssl_chain_file, 'rt').read()
host = config['CONFIG_CONTROLLER_HOST']
deliver_ssl_file(final_cacert, ssl_chain_file, host)
deliver_ssl_file(final_cert, ssl_cert_file, host)
deliver_ssl_file(final_key, ssl_key_file, host)
else:
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] = (
'/etc/pki/tls/certs/ssl_dashboard.crt'
)
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] = (
'/etc/pki/tls/private/ssl_dashboard.key'
)
cacert = config['CONFIG_SSL_CACERT']
config["CONFIG_HORIZON_SSL_CACERT"] = cacert
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'dashboard'
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
ssl_cert_file)
messages.append(
"%sNOTE%s : A certificate was generated to be used for ssl, "
"You should change the ssl certificate configured in "
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
% (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host))
config["CONFIG_HORIZON_NEUTRON_LB"] = False
config["CONFIG_HORIZON_NEUTRON_FW"] = False
config["CONFIG_HORIZON_NEUTRON_VPN"] = False
if config['CONFIG_NEUTRON_INSTALL'] == 'y':
if config["CONFIG_LBAAS_INSTALL"] == 'y':
config["CONFIG_HORIZON_NEUTRON_LB"] = True
if config["CONFIG_NEUTRON_FWAAS"] == 'y':
config["CONFIG_HORIZON_NEUTRON_FW"] = True
if config["CONFIG_NEUTRON_VPNAAS"] == 'y':
config["CONFIG_HORIZON_NEUTRON_VPN"] = True
manifestdata = getManifestTemplate("horizon")
manifestdata += getManifestTemplate("apache_ports")
appendManifestFile(manifestfile, manifestdata)
msg = ("To access the OpenStack Dashboard browse to %s://%s/dashboard .\n"
"Please, find your login credentials stored in the keystonerc_admin"
" in your home directory."
% (proto, config['CONFIG_CONTROLLER_HOST']))
messages.append(msg)
def create_manifests(config, messages):
global q_hosts
service_plugins = []
if config['CONFIG_LBAAS_INSTALL'] == 'y':
service_plugins.append('lbaas')
# ML2 uses the L3 Router service plugin to implement l3 agent
service_plugins.append('router')
if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y':
service_plugins.append('metering')
if config['CONFIG_NEUTRON_FWAAS'] == 'y':
service_plugins.append('firewall')
if config['CONFIG_NEUTRON_VPNAAS'] == 'y':
service_plugins.append('vpnaas')
config['SERVICE_PLUGINS'] = (service_plugins
if service_plugins else 'undef')
plugin_manifest = 'neutron_ml2_plugin'
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_neutron.crt')
ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_neutron.key')
service = 'neutron'
for host in q_hosts:
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
manifest_file = "%s_neutron.pp" % (host, )
manifest_data = getManifestTemplate("neutron")
manifest_data += getManifestTemplate(get_mq(config, "neutron"))
appendManifestFile(manifest_file, manifest_data, 'neutron')
if host in api_hosts:
manifest_file = "%s_neutron.pp" % (host, )
manifest_data = getManifestTemplate("neutron_api")
if config['CONFIG_NOVA_INSTALL'] == 'y':
template_name = "neutron_notifications"
manifest_data += getManifestTemplate(template_name)
# Set up any l2 plugin configs we need only on neutron api nodes
# XXX I am not completely sure about this, but it seems necessary:
manifest_data += getManifestTemplate(plugin_manifest)
# Firewall
fw_details = dict()
key = "neutron_server_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "neutron server"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9696']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details
manifest_data += createFirewallResources(
'FIREWALL_NEUTRON_SERVER_RULES')
appendManifestFile(manifest_file, manifest_data, 'neutron')
# We also need to open VXLAN/GRE port for agent
manifest_data = ""
if use_openvswitch_vxlan(config) or use_openvswitch_gre(config):
if config['CONFIG_IP_VERSION'] == 'ipv6':
msg = output_messages.WARN_IPV6_OVS
messages.append(utils.color_text(msg % host, 'red'))
if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']):
tunnel_subnets = map(
str.strip,
config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(','))
for subnet in tunnel_subnets:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" %
(host, subnet))
config[cf_fw_nt_key] = tunnel_fw_details(
config, host, subnet)
manifest_data += createFirewallResources(cf_fw_nt_key)
else:
for n_host in network_hosts | compute_hosts:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" %
(host, n_host))
if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']:
if config['CONFIG_USE_SUBNETS'] == 'y':
iface = common.cidr_to_ifname(
config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host,
config)
else:
iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF']
ifip = ("ipaddress_%s" % iface)
try:
src_host = config['HOST_DETAILS'][n_host][ifip]
except KeyError:
raise KeyError('Couldn\'t detect ipaddress of '
'interface %s on node %s' %
(iface, n_host))
else:
src_host = n_host
config[cf_fw_nt_key] = tunnel_fw_details(
config, host, src_host)
manifest_data += createFirewallResources(cf_fw_nt_key)
appendManifestFile(manifest_file, manifest_data, 'neutron')
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
if migrate_protocol == 'ssh':
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+ssh://nova@%s/system?no_verify=1&'
'keyfile=/etc/nova/ssh/nova_migration_key')
else:
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
'qemu+tcp://nova@%s/system')
ssh_hostkeys = ''
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
ssh_hostkeys += getManifestTemplate("sshkey")
for host in compute_hosts:
if config['CONFIG_IRONIC_INSTALL'] == 'y':
cm = 'ironic.nova.compute.manager.ClusteredComputeManager'
config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm
manifestdata = getManifestTemplate("nova_compute")
fw_details = dict()
cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
manifestdata += createFirewallResources(cf_fw_qemu_mig_key)
if config['CONFIG_VMWARE_BACKEND'] == 'y':
manifestdata += getManifestTemplate("nova_compute_vmware.pp")
elif config['CONFIG_IRONIC_INSTALL'] == 'y':
manifestdata += getManifestTemplate("nova_compute_ironic.pp")
else:
manifestdata += getManifestTemplate("nova_compute_libvirt.pp")
if (config['CONFIG_VMWARE_BACKEND'] != 'y'
and config['CONFIG_CINDER_INSTALL'] == 'y'
and 'gluster' in config['CONFIG_CINDER_BACKEND']):
manifestdata += getManifestTemplate("nova_gluster")
if (config['CONFIG_VMWARE_BACKEND'] != 'y'
and config['CONFIG_CINDER_INSTALL'] == 'y'
and 'nfs' in config['CONFIG_CINDER_BACKEND']):
manifestdata += getManifestTemplate("nova_nfs")
manifestfile = "%s_nova.pp" % host
if config['CONFIG_NEUTRON_INSTALL'] != 'y':
if host not in network_hosts:
manifestdata += getManifestTemplate('nova_compute_flat')
if config['CONFIG_USE_SUBNETS'] == 'y':
netface = common.cidr_to_ifname(
config['CONFIG_NOVA_COMPUTE_PRIVIF'], host, config)
else:
netface = config['CONFIG_NOVA_COMPUTE_PRIVIF']
check_ifcfg(host, netface)
try:
bring_up_ifcfg(host, netface)
except ScriptRuntimeError as ex:
# just warn user to do it by himself
messages.append(str(ex))
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt')
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key')
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
mq_template = get_mq(config, "nova_ceilometer")
manifestdata += getManifestTemplate(mq_template)
manifestdata += getManifestTemplate("nova_ceilometer")
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
manifestdata += "\n" + createFirewallResources(
'FIREWALL_NOVA_COMPUTE_RULES')
manifestdata += "\n" + ssh_hostkeys
appendManifestFile(manifestfile, manifestdata)
def create_manifests(config, messages):
global q_hosts
service_plugins = ['qos', 'trunk']
service_providers = []
if config['CONFIG_LBAAS_INSTALL'] == 'y':
lbaas_plugin = ('neutron_lbaas.services.loadbalancer.plugin.'
'LoadBalancerPluginv2')
service_plugins.append(lbaas_plugin)
lbaas_sp = ('LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.'
'plugin_driver.HaproxyOnHostPluginDriver:default')
service_providers.append(lbaas_sp)
if use_ml2_with_ovn(config):
service_plugins.append('ovn-router')
else:
# ML2 uses the L3 Router service plugin to implement l3 agent for linuxbridge and ovs
service_plugins.append('router')
if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y':
service_plugins.append('metering')
if config['CONFIG_NEUTRON_FWAAS'] == 'y':
service_plugins.append('firewall')
fwaas_sp = ('FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.'
'OVSHybridIptablesFirewallDriver:default')
service_providers.append(fwaas_sp)
if config['CONFIG_NEUTRON_VPNAAS'] == 'y':
service_plugins.append('vpnaas')
vpnaas_sp = ('VPN:libreswan:neutron_vpnaas.services.vpn.'
'service_drivers.ipsec.IPsecVPNDriver:default')
service_providers.append(vpnaas_sp)
config['SERVICE_PLUGINS'] = (service_plugins if service_plugins
else 'undef')
config['SERVICE_PROVIDERS'] = (service_providers if service_providers
else [])
config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall."
"OVSHybridIptablesFirewallDriver")
plugin_manifest = 'neutron_ml2_plugin'
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_neutron.crt'
)
ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_neutron.key'
)
service = 'neutron'
for host in q_hosts:
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
if host in api_hosts:
# Firewall
fw_details = dict()
key = "neutron_server_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "neutron server"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9696']
fw_details[key]['proto'] = "tcp"
if use_ml2_with_ovn(config):
key = "ovn_northd_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ovn northd"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6641']
fw_details[key]['proto'] = "tcp"
key = "ovn_southd_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "ovn southd"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['6642']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details
# We also need to open VXLAN/GRE port for agent
if (use_openvswitch_vxlan(config) or use_openvswitch_gre(config) or
use_ovn_geneve(config)):
if config['CONFIG_IP_VERSION'] == 'ipv6':
msg = output_messages.WARN_IPV6_OVS
messages.append(utils.color_text(msg % host, 'red'))
fw_details = dict()
if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']):
tunnel_subnets = map(
str.strip,
config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',')
)
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host)
for subnet in tunnel_subnets:
tunnel_fw_details(config, host, subnet, fw_details)
config[cf_fw_nt_key] = fw_details
else:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host)
for n_host in network_hosts | compute_hosts:
if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']:
if config['CONFIG_USE_SUBNETS'] == 'y':
iface = common.cidr_to_ifname(
config['CONFIG_NEUTRON_OVS_TUNNEL_IF'],
n_host, config)
else:
iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF']
ifip = ("ipaddress_%s" % iface)
ifip = re.sub('[\.\-\:]', '_', ifip)
try:
src_host = config['HOST_DETAILS'][n_host][ifip]
except KeyError:
raise KeyError('Couldn\'t detect ipaddress of '
'interface %s on node %s' %
(iface, n_host))
else:
src_host = n_host
tunnel_fw_details(config, host, src_host, fw_details)
config[cf_fw_nt_key] = fw_details
def create_compute_manifest(config, messages):
global compute_hosts, network_hosts
if config["CONFIG_HORIZON_SSL"] == 'y':
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
else:
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
config["CONFIG_NOVA_ALLOW_RESIZE_TO_SAME"] = len(compute_hosts) == 1
ssh_keys_details = {}
for host in compute_hosts:
try:
hostname, aliases, addrs = socket.gethostbyaddr(host)
except socket.herror:
hostname, aliases, addrs = (host, [], [])
for hostkey in config['HOST_KEYS_%s' % host].split('\n'):
hostkey = hostkey.strip()
if not hostkey:
continue
_, host_key_type, host_key_data = hostkey.split()
key = "%s.%s" % (host_key_type, hostname)
ssh_keys_details.setdefault(key, {})
ssh_keys_details[key]['ensure'] = 'present'
ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs
ssh_keys_details[key]['key'] = host_key_data
ssh_keys_details[key]['type'] = host_key_type
config['SSH_KEYS'] = ssh_keys_details
if config['CONFIG_VMWARE_BACKEND'] == 'y':
vcenters = [i.strip() for i in
config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',')
if i.strip()]
if not vcenters:
raise exceptions.ParamValidationError(
"Please specify at least one VMware vCenter cluster in"
" CONFIG_VCENTER_CLUSTER_NAMES"
)
if len(vcenters) != len(compute_hosts):
if len(vcenters) > 1:
raise exceptions.ParamValidationError(
"Number of vmware clusters %s is not same"
" as number of nova computes %s", (vcenters, compute_hosts)
)
else:
vcenters = len(compute_hosts) * [vcenters[0]]
vmware_clusters = dict(zip(compute_hosts, vcenters))
config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters
for host in compute_hosts:
fw_details = dict()
cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host
for c_host in compute_hosts:
key = "nova_qemu_migration_%s_%s" % (host, c_host)
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % c_host
fw_details[key]['service_name'] = "nova qemu migration"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['16509', '49152-49215']
fw_details[key]['proto'] = "tcp"
config[cf_fw_qemu_mig_key] = fw_details
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
)
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
)
ssl_host = config['CONFIG_CONTROLLER_HOST']
service = 'ceilometer'
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
fw_details = dict()
key = "nova_compute"
fw_details.setdefault(key, {})
fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST']
fw_details[key]['service_name'] = "nova compute"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['5900-5999']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifests(config, messages):
global q_hosts
service_plugins = []
if config['CONFIG_LBAAS_INSTALL'] == 'y':
service_plugins.append('lbaas')
# ML2 uses the L3 Router service plugin to implement l3 agent
service_plugins.append('router')
if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y':
service_plugins.append('metering')
if config['CONFIG_NEUTRON_FWAAS'] == 'y':
service_plugins.append('firewall')
if config['CONFIG_NEUTRON_VPNAAS'] == 'y':
service_plugins.append('vpnaas')
config['SERVICE_PLUGINS'] = (service_plugins if service_plugins
else 'undef')
config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall."
"OVSHybridIptablesFirewallDriver")
plugin_manifest = 'neutron_ml2_plugin'
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = (
'/etc/pki/tls/certs/ssl_amqp_neutron.crt'
)
ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = (
'/etc/pki/tls/private/ssl_amqp_neutron.key'
)
service = 'neutron'
for host in q_hosts:
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
generate_ssl_cert(config, host, service, ssl_key_file,
ssl_cert_file)
manifest_file = "%s_neutron.pp" % (host,)
manifest_data = getManifestTemplate("neutron")
manifest_data += getManifestTemplate(get_mq(config, "neutron"))
appendManifestFile(manifest_file, manifest_data, 'neutron')
if host in api_hosts:
manifest_file = "%s_neutron.pp" % (host,)
manifest_data = getManifestTemplate("neutron_api")
if config['CONFIG_NOVA_INSTALL'] == 'y':
template_name = "neutron_notifications"
manifest_data += getManifestTemplate(template_name)
# Set up any l2 plugin configs we need only on neutron api nodes
# XXX I am not completely sure about this, but it seems necessary:
manifest_data += getManifestTemplate(plugin_manifest)
# Firewall
fw_details = dict()
key = "neutron_server_%s" % host
fw_details.setdefault(key, {})
fw_details[key]['host'] = "ALL"
fw_details[key]['service_name'] = "neutron server"
fw_details[key]['chain'] = "INPUT"
fw_details[key]['ports'] = ['9696']
fw_details[key]['proto'] = "tcp"
config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details
manifest_data += createFirewallResources(
'FIREWALL_NEUTRON_SERVER_RULES'
)
appendManifestFile(manifest_file, manifest_data, 'neutron')
# We also need to open VXLAN/GRE port for agent
manifest_data = ""
if use_openvswitch_vxlan(config) or use_openvswitch_gre(config):
if config['CONFIG_IP_VERSION'] == 'ipv6':
msg = output_messages.WARN_IPV6_OVS
messages.append(utils.color_text(msg % host, 'red'))
if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']):
tunnel_subnets = map(
str.strip,
config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',')
)
for subnet in tunnel_subnets:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s"
% (host, subnet))
config[cf_fw_nt_key] = tunnel_fw_details(config,
host, subnet)
manifest_data += createFirewallResources(cf_fw_nt_key)
else:
for n_host in network_hosts | compute_hosts:
cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s"
% (host, n_host))
if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']:
if config['CONFIG_USE_SUBNETS'] == 'y':
iface = common.cidr_to_ifname(
config['CONFIG_NEUTRON_OVS_TUNNEL_IF'],
n_host, config)
else:
iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF']
ifip = ("ipaddress_%s" % iface)
try:
src_host = config['HOST_DETAILS'][n_host][ifip]
except KeyError:
raise KeyError('Couldn\'t detect ipaddress of '
'interface %s on node %s' %
(iface, n_host))
else:
src_host = n_host
config[cf_fw_nt_key] = tunnel_fw_details(config,
host, src_host)
manifest_data += createFirewallResources(cf_fw_nt_key)
appendManifestFile(manifest_file, manifest_data, 'neutron')