def create_vncproxy_manifest(config, messages): if config["CONFIG_HORIZON_SSL"] == 'y': if config["CONFIG_VNC_SSL_CERT"]: ssl_cert_file = config["CONFIG_VNC_SSL_CERT"] ssl_key_file = config["CONFIG_VNC_SSL_KEY"] if not os.path.exists(ssl_cert_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_cert_file) if not os.path.exists(ssl_key_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_key_file) final_cert = open(ssl_cert_file, 'rt').read() final_key = open(ssl_key_file, 'rt').read() deliver_ssl_file(final_cert, ssl_cert_file, config['CONFIG_CONTROLLER_HOST']) deliver_ssl_file(final_key, ssl_key_file, config['CONFIG_CONTROLLER_HOST']) else: config["CONFIG_VNC_SSL_CERT"] = '/etc/pki/tls/certs/ssl_vnc.crt' config["CONFIG_VNC_SSL_KEY"] = '/etc/pki/tls/private/ssl_vnc.key' ssl_key_file = config["CONFIG_VNC_SSL_KEY"] ssl_cert_file = config["CONFIG_VNC_SSL_CERT"] ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'vnc' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file)
def create_manifest(config, messages): if config["CONFIG_UNSUPPORTED"] != "y": config["CONFIG_STORAGE_HOST"] = config["CONFIG_CONTROLLER_HOST"] if config["CONFIG_AMQP_ENABLE_SSL"] == "y": ssl_host = config["CONFIG_STORAGE_HOST"] ssl_cert_file = config["CONFIG_MANILA_SSL_CERT"] = "/etc/pki/tls/certs/ssl_amqp_manila.crt" ssl_key_file = config["CONFIG_MANILA_SSL_KEY"] = "/etc/pki/tls/private/ssl_amqp_manila.key" service = "manila" generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) # Change these from text to Boolean values boolean_keys = ["CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS", "CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS"] for key in [k for k in boolean_keys if k in config]: if config[key].lower() == "true": config[key] = True elif config[key].lower() == "false": config[key] = False # manila API should be open for everyone fw_details = dict() key = "manila_api" fw_details.setdefault(key, {}) fw_details[key]["host"] = "ALL" fw_details[key]["service_name"] = "manila-api" fw_details[key]["chain"] = "INPUT" fw_details[key]["ports"] = ["8786"] fw_details[key]["proto"] = "tcp" config["FIREWALL_MANILA_API_RULES"] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_trove.crt' ) ssl_key_file = config['CONFIG_TROVE_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_trove.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'trove' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) if (config['CONFIG_TROVE_NOVA_USER'] == 'trove' and config['CONFIG_TROVE_NOVA_PW'] == ''): config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_TROVE_KS_PW'] manifestfile = "%s_trove.pp" % config["CONFIG_CONTROLLER_HOST"] manifestdata = getManifestTemplate(get_mq(config, "trove")) manifestdata += getManifestTemplate('trove.pp') fw_details = dict() key = "trove" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "trove api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8779'] fw_details[key]['proto'] = "tcp" config['FIREWALL_TROVE_API_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_TROVE_API_RULES') appendManifestFile(manifestfile, manifestdata, marker='trove')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_CONTROLLER_HOST'] ssl_cert_file = config['CONFIG_IRONIC_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ironic.crt' ) ssl_key_file = config['CONFIG_IRONIC_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ironic.key' ) service = 'ironic' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_ironic.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "ironic")) manifestdata += getManifestTemplate("ironic.pp") fw_details = dict() key = "ironic-api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ironic-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6385'] fw_details[key]['proto'] = "tcp" config['FIREWALL_IRONIC_API_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_IRONIC_API_RULES') appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages): if config['CONFIG_UNSUPPORTED'] != 'y': config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST'] if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_SAHARA_HOST'] ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_sahara.crt' ) ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_sahara.key' ) service = 'sahara' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "sahara-api" fw_details.setdefault(key, {}) fw_details[key]["host"] = "ALL" fw_details[key]["service_name"] = "sahara api" fw_details[key]["chain"] = "INPUT" fw_details[key]["ports"] = ["8386"] fw_details[key]["proto"] = "tcp" config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_trove.crt' ) ssl_key_file = config['CONFIG_TROVE_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_trove.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'trove' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) if (config['CONFIG_TROVE_NOVA_USER'] == 'trove' and config['CONFIG_TROVE_NOVA_PW'] == ''): config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_TROVE_KS_PW'] fw_details = dict() key = "trove" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "trove api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8779'] fw_details[key]['proto'] = "tcp" config['FIREWALL_TROVE_API_RULES'] = fw_details
def create_common_manifest(config, messages): global compute_hosts, network_hosts network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and 'neutron' or 'nova') network_multi = len(network_hosts) > 1 dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')]) dbacces_hosts |= network_hosts for manifestfile, marker in manifestfiles.getFiles(): pw_in_sqlconn = False if manifestfile.endswith("_nova.pp"): host, manifest = manifestfile.split('_', 1) host = host.strip() if host in compute_hosts and host not in dbacces_hosts: # we should omit password in case we are installing only # nova-compute to the host perms = "nova" pw_in_sqlconn = False else: perms = "nova:%s" % config['CONFIG_NOVA_DB_PW'] pw_in_sqlconn = True mariadb_host_url = config['CONFIG_MARIADB_HOST_URL'] sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url) if pw_in_sqlconn: config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn else: config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn # for nova-network in multihost mode each compute host is metadata # host otherwise we use api host if (network_type == 'nova' and network_multi and host in compute_hosts): metadata = host else: metadata = config['CONFIG_CONTROLLER_HOST'] config['CONFIG_NOVA_METADATA_HOST'] = metadata data = getManifestTemplate(get_mq(config, "nova_common")) if pw_in_sqlconn: data += getManifestTemplate("nova_common_pw") else: data += getManifestTemplate("nova_common_nopw") # We need to have class nova before class nova::api, so prepend # instead of append prependManifestFile(os.path.split(manifestfile)[1], data) if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': nova_hosts = compute_hosts nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')]) ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_nova.crt') ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_nova.key') service = 'nova' for host in nova_hosts: generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file)
def create_manifest(config, messages): manifestfile = "%s_aodh.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "aodh")) manifestdata += getManifestTemplate("aodh") manifestdata += getManifestTemplate("apache_ports") if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_AODH_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_aodh.crt') ssl_key_file = config['CONFIG_AODH_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_aodh.key') ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'aodh' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "aodh_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "aodh-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8042'] fw_details[key]['proto'] = "tcp" config['FIREWALL_AODH_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_AODH_RULES') appendManifestFile(manifestfile, manifestdata, 'aodh')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_CONTROLLER_HOST'] ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_heat.crt' ) ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_heat.key' ) service = 'heat' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "heat")) manifestdata += getManifestTemplate("heat") manifestdata += getManifestTemplate("keystone_heat") fw_details = dict() key = "heat" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "heat" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8004'] fw_details[key]['proto'] = "tcp" config['FIREWALL_HEAT_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_HEAT_RULES') appendManifestFile(manifestfile, manifestdata, marker='heat')
def create_manifest(config, messages): if config["CONFIG_AMQP_ENABLE_SSL"] == "y": ssl_host = config["CONFIG_CONTROLLER_HOST"] ssl_cert_file = config["CONFIG_HEAT_SSL_CERT"] = "/etc/pki/tls/certs/ssl_amqp_heat.crt" ssl_key_file = config["CONFIG_HEAT_SSL_KEY"] = "/etc/pki/tls/private/ssl_amqp_heat.key" service = "heat" generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_heat.pp" % config["CONFIG_CONTROLLER_HOST"] manifestdata = getManifestTemplate(get_mq(config, "heat")) manifestdata += getManifestTemplate("heat") manifestdata += getManifestTemplate("keystone_heat") fw_details = dict() key = "heat" fw_details.setdefault(key, {}) fw_details[key]["host"] = "ALL" fw_details[key]["service_name"] = "heat" fw_details[key]["chain"] = "INPUT" fw_details[key]["ports"] = ["8004"] fw_details[key]["proto"] = "tcp" config["FIREWALL_HEAT_RULES"] = fw_details manifestdata += createFirewallResources("FIREWALL_HEAT_RULES") appendManifestFile(manifestfile, manifestdata, marker="heat")
def create_vncproxy_manifest(config, messages): if config["CONFIG_HORIZON_SSL"] == 'y': if config["CONFIG_VNC_SSL_CERT"]: ssl_cert_file = config["CONFIG_VNC_SSL_CERT"] ssl_key_file = config["CONFIG_VNC_SSL_KEY"] if not os.path.exists(ssl_cert_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_cert_file) if not os.path.exists(ssl_key_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_key_file) final_cert = open(ssl_cert_file, 'rt').read() final_key = open(ssl_key_file, 'rt').read() deliver_ssl_file(final_cert, ssl_cert_file, config['CONFIG_CONTROLLER_HOST']) deliver_ssl_file(final_key, ssl_key_file, config['CONFIG_CONTROLLER_HOST']) else: config["CONFIG_VNC_SSL_CERT"] = '/etc/pki/tls/certs/ssl_vnc.crt' config["CONFIG_VNC_SSL_KEY"] = '/etc/pki/tls/private/ssl_vnc.key' ssl_key_file = config["CONFIG_VNC_SSL_KEY"] ssl_cert_file = config["CONFIG_VNC_SSL_CERT"] ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'vnc' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file)
def create_manifest(config, messages): manifestfile = "%s_aodh.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "aodh")) manifestdata += getManifestTemplate("aodh") if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_AODH_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_aodh.crt' ) ssl_key_file = config['CONFIG_AODH_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_aodh.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'aodh' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "aodh_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "aodh-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8042'] fw_details[key]['proto'] = "tcp" config['FIREWALL_AODH_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_AODH_RULES') appendManifestFile(manifestfile, manifestdata, 'aodh')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_SAHARA_HOST'] ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_sahara.crt' ) ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_sahara.key' ) service = 'sahara' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_sahara.pp" % config['CONFIG_STORAGE_HOST'] manifestdata = getManifestTemplate(get_mq(config, "sahara")) manifestdata += getManifestTemplate("sahara.pp") if config['CONFIG_CEILOMETER_INSTALL'] == 'y': manifestdata += getManifestTemplate('sahara_ceilometer') fw_details = dict() key = "sahara-api" fw_details.setdefault(key, {}) fw_details[key]["host"] = "ALL" fw_details[key]["service_name"] = "sahara api" fw_details[key]["chain"] = "INPUT" fw_details[key]["ports"] = ["8386"] fw_details[key]["proto"] = "tcp" config["FIREWALL_SAHARA_CFN_RULES"] = fw_details manifestdata += createFirewallResources("FIREWALL_SAHARA_CFN_RULES") appendManifestFile(manifestfile, manifestdata, marker='sahara')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_glance.crt' ) ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_glance.key' ) service = 'glance' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST'] manifestdata = getManifestTemplate("glance") if config['CONFIG_CEILOMETER_INSTALL'] == 'y': mq_template = get_mq(config, "glance_ceilometer") manifestdata += getManifestTemplate(mq_template) fw_details = dict() key = "glance_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "glance" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9292'] fw_details[key]['proto'] = "tcp" config['FIREWALL_GLANCE_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_GLANCE_RULES') appendManifestFile(manifestfile, manifestdata)
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_CONTROLLER_HOST'] ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_heat.crt') ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_heat.key') service = 'heat' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "heat")) manifestdata += getManifestTemplate("heat") manifestdata += getManifestTemplate("keystone_heat") fw_details = dict() key = "heat" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "heat" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8004'] fw_details[key]['proto'] = "tcp" config['FIREWALL_HEAT_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_HEAT_RULES') appendManifestFile(manifestfile, manifestdata, marker='heat')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_glance.crt') ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_glance.key') service = 'glance' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST'] manifestdata = getManifestTemplate("glance") if config['CONFIG_CEILOMETER_INSTALL'] == 'y': mq_template = get_mq(config, "glance_ceilometer") manifestdata += getManifestTemplate(mq_template) fw_details = dict() key = "glance_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "glance" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9292'] fw_details[key]['proto'] = "tcp" config['FIREWALL_GLANCE_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_GLANCE_RULES') appendManifestFile(manifestfile, manifestdata)
def create_common_manifest(config, messages): global compute_hosts, network_hosts network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and 'neutron' or 'nova') network_multi = len(network_hosts) > 1 dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')]) dbacces_hosts |= network_hosts for manifestfile, marker in manifestfiles.getFiles(): pw_in_sqlconn = False if manifestfile.endswith("_nova.pp"): host, manifest = manifestfile.split('_', 1) host = host.strip() if host in compute_hosts and host not in dbacces_hosts: # we should omit password in case we are installing only # nova-compute to the host perms = "nova" pw_in_sqlconn = False else: perms = "nova:%s" % config['CONFIG_NOVA_DB_PW'] pw_in_sqlconn = True mariadb_host_url = config['CONFIG_MARIADB_HOST_URL'] sqlconn = "mysql://%s@%s/nova" % (perms, mariadb_host_url) if pw_in_sqlconn: config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn else: config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn # for nova-network in multihost mode each compute host is metadata # host otherwise we use api host if (network_type == 'nova' and network_multi and host in compute_hosts): metadata = host else: metadata = config['CONFIG_CONTROLLER_HOST'] config['CONFIG_NOVA_METADATA_HOST'] = metadata data = getManifestTemplate(get_mq(config, "nova_common")) if pw_in_sqlconn: data += getManifestTemplate("nova_common_pw") else: data += getManifestTemplate("nova_common_nopw") appendManifestFile(os.path.split(manifestfile)[1], data) if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': nova_hosts = compute_hosts nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')]) ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_nova.crt' ) ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_nova.key' ) service = 'nova' for host in nova_hosts: generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file)
def create_manifest(config, messages): manifestfile = "%s_ceilometer.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "ceilometer")) manifestdata += getManifestTemplate("ceilometer") if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis': # Determine if we need to configure multiple sentinel hosts as # fallbacks for use in coordination url. sentinel_hosts = split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']) sentinel_port = config['CONFIG_REDIS_SENTINEL_PORT'] sentinel_host = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST'] if config['CONFIG_IP_VERSION'] == 'ipv6': config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = "[%s]" % ( sentinel_host) else: config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = sentinel_host sentinel_contact = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST'] if len(sentinel_hosts) > 1: sentinel_format = 'sentinel_fallback=%s:%s' if config['CONFIG_IP_VERSION'] == 'ipv6': sentinel_format = 'sentinel_fallback=[%s]:%s' sentinel_fallbacks = '&'.join([sentinel_format % (host, sentinel_port) for host in sentinel_hosts if host != sentinel_contact]) else: sentinel_fallbacks = '' config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "ceilometer_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ceilometer-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8777'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CEILOMETER_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_CEILOMETER_RULES') # Add a template that creates a group for nova because the ceilometer # class needs it if config['CONFIG_NOVA_INSTALL'] == 'n': manifestdata += getManifestTemplate("ceilometer_nova_disabled") appendManifestFile(manifestfile, manifestdata, 'ceilometer')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_cinder.crt' ) ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_cinder.key' ) service = 'cinder' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) manifestdata = getManifestTemplate(get_mq(config, "cinder")) manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST'] manifestdata += getManifestTemplate("cinder") for backend in config['CONFIG_CINDER_BACKEND']: manifestdata += getManifestTemplate('cinder_%s' % backend) if config['CONFIG_CEILOMETER_INSTALL'] == 'y': manifestdata += getManifestTemplate('cinder_ceilometer') if config['CONFIG_SWIFT_INSTALL'] == 'y': manifestdata += getManifestTemplate('cinder_backup') fw_details = dict() for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']): if (config['CONFIG_NOVA_INSTALL'] == 'y' and config['CONFIG_VMWARE_BACKEND'] == 'n'): key = "cinder_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % host else: key = "cinder_all" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['3260'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_CINDER_RULES') # cinder API should be open for everyone fw_details = dict() key = "cinder_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8776'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_API_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_CINDER_API_RULES') appendManifestFile(manifestfile, manifestdata)
def create_manifest(config, messages): manifestfile = "%s_ceilometer.pp" % config['CONFIG_CONTROLLER_HOST'] manifestdata = getManifestTemplate(get_mq(config, "ceilometer")) manifestdata += getManifestTemplate("ceilometer") if config['CONFIG_CEILOMETER_COORDINATION_BACKEND'] == 'redis': # Determine if we need to configure multiple sentinel hosts as # fallbacks for use in coordination url. sentinel_hosts = split_hosts(config['CONFIG_REDIS_SENTINEL_HOSTS']) sentinel_port = config['CONFIG_REDIS_SENTINEL_PORT'] sentinel_host = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST'] if config['CONFIG_IP_VERSION'] == 'ipv6': config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = "[%s]" % ( sentinel_host) else: config['CONFIG_REDIS_SENTINEL_CONTACT_HOST_URL'] = sentinel_host sentinel_contact = config['CONFIG_REDIS_SENTINEL_CONTACT_HOST'] if len(sentinel_hosts) > 1: sentinel_format = 'sentinel_fallback=%s:%s' if config['CONFIG_IP_VERSION'] == 'ipv6': sentinel_format = 'sentinel_fallback=[%s]:%s' sentinel_fallbacks = '&'.join([ sentinel_format % (host, sentinel_port) for host in sentinel_hosts if host != sentinel_contact ]) else: sentinel_fallbacks = '' config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt') ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key') ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "ceilometer_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ceilometer-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8777'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CEILOMETER_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_CEILOMETER_RULES') # Add a template that creates a group for nova because the ceilometer # class needs it if config['CONFIG_NOVA_INSTALL'] == 'n': manifestdata += getManifestTemplate("ceilometer_nova_disabled") appendManifestFile(manifestfile, manifestdata, 'ceilometer')
def create_common_manifest(config, messages): global compute_hosts, network_hosts network_type = (config['CONFIG_NEUTRON_INSTALL'] == "y" and 'neutron' or 'nova') network_multi = len(network_hosts) > 1 dbacces_hosts = set([config.get('CONFIG_CONTROLLER_HOST')]) dbacces_hosts |= network_hosts for host in filtered_hosts(config): pw_in_sqlconn = False host = host.strip() if host in compute_hosts and host not in dbacces_hosts: # we should omit password in case we are installing only # nova-compute to the host perms = "nova" pw_in_sqlconn = False else: perms = "nova:%s" % config['CONFIG_NOVA_DB_PW'] pw_in_sqlconn = True mariadb_host_url = config['CONFIG_MARIADB_HOST_URL'] sqlconn = "mysql+pymysql://%s@%s/nova" % (perms, mariadb_host_url) if pw_in_sqlconn: config['CONFIG_NOVA_SQL_CONN_PW'] = sqlconn else: config['CONFIG_NOVA_SQL_CONN_NOPW'] = sqlconn # for nova-network in multihost mode each compute host is metadata # host otherwise we use api host if (network_type == 'nova' and network_multi and host in compute_hosts): metadata = host else: metadata = config['CONFIG_CONTROLLER_HOST'] config['CONFIG_NOVA_METADATA_HOST'] = metadata if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': nova_hosts = compute_hosts nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')]) ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_nova.crt' ) ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_nova.key' ) service = 'nova' for host in nova_hosts: generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file)
def create_manifest(config, messages): if config['CONFIG_UNSUPPORTED'] != 'y': config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST'] if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_manila.crt' ) ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_manila.key' ) service = 'manila' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) # Change these from text to Boolean values boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS', 'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS'] for key in [k for k in boolean_keys if k in config]: if config[key].lower() == "true": config[key] = True elif config[key].lower() == "false": config[key] = False manifestdata = getManifestTemplate(get_mq(config, "manila")) manifestfile = "%s_manila.pp" % config['CONFIG_STORAGE_HOST'] manifestdata += getManifestTemplate("manila.pp") manifestdata += getManifestTemplate("manila_network.pp") backends = config['CONFIG_MANILA_BACKEND'] for backend in backends: manifestdata += getManifestTemplate('manila_%s.pp' % backend) # manila API should be open for everyone fw_details = dict() key = "manila_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "manila-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8786'] fw_details[key]['proto'] = "tcp" config['FIREWALL_MANILA_API_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_MANILA_API_RULES') appendManifestFile(manifestfile, manifestdata, marker='manila')
def create_manifest(config, messages): if config['CONFIG_UNSUPPORTED'] != 'y': config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST'] if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_manila.crt') ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_manila.key') service = 'manila' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) # Change these from text to Boolean values boolean_keys = [ 'CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS', 'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS' ] for key in [k for k in boolean_keys if k in config]: if config[key].lower() == "true": config[key] = True elif config[key].lower() == "false": config[key] = False manifestdata = getManifestTemplate(get_mq(config, "manila")) manifestfile = "%s_manila.pp" % config['CONFIG_STORAGE_HOST'] manifestdata += getManifestTemplate("manila.pp") manifestdata += getManifestTemplate("manila_network.pp") backends = config['CONFIG_MANILA_BACKEND'] for backend in backends: manifestdata += getManifestTemplate('manila_%s.pp' % backend) # manila API should be open for everyone fw_details = dict() key = "manila_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "manila-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8786'] fw_details[key]['proto'] = "tcp" config['FIREWALL_MANILA_API_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_MANILA_API_RULES') appendManifestFile(manifestfile, manifestdata, marker='manila')
def create_manifest(config, messages): server = utils.ScriptRunner(config['CONFIG_AMQP_HOST']) if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': config['CONFIG_AMQP_SSL_ENABLED'] = True config['CONFIG_AMQP_PROTOCOL'] = 'ssl' config['CONFIG_AMQP_CLIENTS_PORT'] = "5671" amqp_host = config['CONFIG_AMQP_HOST'] service = 'AMQP' ssl_key_file = '/etc/pki/tls/private/ssl_amqp.key' ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp.crt' cacert = config['CONFIG_AMQP_SSL_CACERT_FILE'] = ( config['CONFIG_SSL_CACERT'] ) generate_ssl_cert(config, amqp_host, service, ssl_key_file, ssl_cert_file) else: # Set default values config['CONFIG_AMQP_CLIENTS_PORT'] = "5672" config['CONFIG_AMQP_SSL_ENABLED'] = False config['CONFIG_AMQP_PROTOCOL'] = 'tcp' if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n': config['CONFIG_AMQP_AUTH_PASSWORD'] = '******' config['CONFIG_AMQP_AUTH_USER'] = '******' manifestfile = "%s_amqp.pp" % config['CONFIG_AMQP_HOST'] manifestdata = getManifestTemplate('amqp') if config['CONFIG_IP_VERSION'] == 'ipv6': config['CONFIG_AMQP_HOST_URL'] = "[%s]" % config['CONFIG_AMQP_HOST'] else: config['CONFIG_AMQP_HOST_URL'] = config['CONFIG_AMQP_HOST'] fw_details = dict() # All hosts should be able to talk to amqp for host in filtered_hosts(config, exclude=False): key = "amqp_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % host fw_details[key]['service_name'] = "amqp" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5671', '5672'] fw_details[key]['proto'] = "tcp" config['FIREWALL_AMQP_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_AMQP_RULES') appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages): server = utils.ScriptRunner(config['CONFIG_AMQP_HOST']) if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': config['CONFIG_AMQP_SSL_ENABLED'] = True config['CONFIG_AMQP_PROTOCOL'] = 'ssl' config['CONFIG_AMQP_CLIENTS_PORT'] = "5671" amqp_host = config['CONFIG_AMQP_HOST'] service = 'AMQP' ssl_key_file = '/etc/pki/tls/private/ssl_amqp.key' ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp.crt' cacert = config['CONFIG_AMQP_SSL_CACERT_FILE'] = ( config['CONFIG_SSL_CACERT']) generate_ssl_cert(config, amqp_host, service, ssl_key_file, ssl_cert_file) else: # Set default values config['CONFIG_AMQP_CLIENTS_PORT'] = "5672" config['CONFIG_AMQP_SSL_ENABLED'] = False config['CONFIG_AMQP_PROTOCOL'] = 'tcp' if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n': config['CONFIG_AMQP_AUTH_PASSWORD'] = '******' config['CONFIG_AMQP_AUTH_USER'] = '******' manifestfile = "%s_amqp.pp" % config['CONFIG_AMQP_HOST'] manifestdata = getManifestTemplate('amqp') if config['CONFIG_IP_VERSION'] == 'ipv6': config['CONFIG_AMQP_HOST_URL'] = "[%s]" % config['CONFIG_AMQP_HOST'] else: config['CONFIG_AMQP_HOST_URL'] = config['CONFIG_AMQP_HOST'] fw_details = dict() # All hosts should be able to talk to amqp for host in filtered_hosts(config, exclude=False): key = "amqp_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % host fw_details[key]['service_name'] = "amqp" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5671', '5672'] fw_details[key]['proto'] = "tcp" config['FIREWALL_AMQP_RULES'] = fw_details manifestdata += createFirewallResources('FIREWALL_AMQP_RULES') appendManifestFile(manifestfile, manifestdata, 'pre')
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_cinder.crt' ) ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_cinder.key' ) service = 'cinder' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']): if (config['CONFIG_NOVA_INSTALL'] == 'y' and config['CONFIG_VMWARE_BACKEND'] == 'n'): key = "cinder_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % host else: key = "cinder_all" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['3260'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_RULES'] = fw_details # cinder API should be open for everyone fw_details = dict() key = "cinder_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8776'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_API_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_cinder.crt' ) ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_cinder.key' ) service = 'cinder' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']): if (config['CONFIG_NOVA_INSTALL'] == 'y' and config['CONFIG_VMWARE_BACKEND'] == 'n'): key = "cinder_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % host else: key = "cinder_all" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['3260'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_RULES'] = fw_details # cinder API should be open for everyone fw_details = dict() key = "cinder_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "cinder-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8776'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CINDER_API_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_CONTROLLER_HOST'] ssl_cert_file = config['CONFIG_IRONIC_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ironic.crt') ssl_key_file = config['CONFIG_IRONIC_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ironic.key') service = 'ironic' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "ironic-api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ironic-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6385'] fw_details[key]['proto'] = "tcp" config['FIREWALL_IRONIC_API_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt') ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key') ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "ceilometer_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ceilometer-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8777'] fw_details[key]['proto'] = "tcp" config['FIREWALL_CEILOMETER_RULES'] = fw_details
def create_all_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_MAGNUM_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_magnum.crt' ) ssl_key_file = config['CONFIG_MAGNUM_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_magnum.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'magnum' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "magnum" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "magnum api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9511'] fw_details[key]['proto'] = "tcp" config['FIREWALL_MAGNUM_API_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_glance.crt' ) ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_glance.key' ) service = 'glance' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "glance_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "glance" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9292'] fw_details[key]['proto'] = "tcp" config['FIREWALL_GLANCE_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_CONTROLLER_HOST'] ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_heat.crt' ) ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_heat.key' ) service = 'heat' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "heat" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "heat" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8004'] fw_details[key]['proto'] = "tcp" config['FIREWALL_HEAT_RULES'] = fw_details
def create_manifest(config, messages): if config['CONFIG_UNSUPPORTED'] != 'y': config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST'] if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_SAHARA_HOST'] ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_sahara.crt') ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_sahara.key') service = 'sahara' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "sahara-api" fw_details.setdefault(key, {}) fw_details[key]["host"] = "ALL" fw_details[key]["service_name"] = "sahara api" fw_details[key]["chain"] = "INPUT" fw_details[key]["ports"] = ["8386"] fw_details[key]["proto"] = "tcp" config["FIREWALL_SAHARA_CFN_RULES"] = fw_details
def create_manifest(config, messages): if config['CONFIG_UNSUPPORTED'] != 'y': config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST'] if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_host = config['CONFIG_STORAGE_HOST'] ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_manila.crt' ) ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_manila.key' ) service = 'manila' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) # Change these from text to Boolean values boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS', 'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS'] for key in [k for k in boolean_keys if k in config]: if config[key].lower() == "true": config[key] = True elif config[key].lower() == "false": config[key] = False # manila API should be open for everyone fw_details = dict() key = "manila_api" fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "manila-api" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['8786'] fw_details[key]['proto'] = "tcp" config['FIREWALL_MANILA_API_RULES'] = fw_details
def create_manifests(config, messages): global q_hosts service_plugins = ['qos', 'trunk'] service_providers = [] if config['CONFIG_LBAAS_INSTALL'] == 'y': lbaas_plugin = ('neutron_lbaas.services.loadbalancer.plugin.' 'LoadBalancerPluginv2') service_plugins.append(lbaas_plugin) lbaas_sp = ('LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.' 'plugin_driver.HaproxyOnHostPluginDriver:default') service_providers.append(lbaas_sp) if use_ml2_with_ovn(config): service_plugins.append('ovn-router') else: # ML2 uses the L3 Router service plugin to implement l3 agent for linuxbridge and ovs service_plugins.append('router') if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y': service_plugins.append('metering') if config['CONFIG_NEUTRON_FWAAS'] == 'y': service_plugins.append('firewall_v2') fwaas_sp = ( 'FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.' 'service_drivers.agents.agents.FirewallAgentDriver:default') service_providers.append(fwaas_sp) if config['CONFIG_NEUTRON_VPNAAS'] == 'y': service_plugins.append('vpnaas') vpnaas_sp = ('VPN:libreswan:neutron_vpnaas.services.vpn.' 'service_drivers.ipsec.IPsecVPNDriver:default') service_providers.append(vpnaas_sp) config['SERVICE_PLUGINS'] = (service_plugins if service_plugins else 'undef') config['SERVICE_PROVIDERS'] = (service_providers if service_providers else []) config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall." "OVSHybridIptablesFirewallDriver") plugin_manifest = 'neutron_ml2_plugin' if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_neutron.crt') ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_neutron.key') service = 'neutron' for host in q_hosts: if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) if host in api_hosts: # Firewall fw_details = dict() key = "neutron_server_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "neutron server" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9696'] fw_details[key]['proto'] = "tcp" if use_ml2_with_ovn(config): key = "ovn_northd_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ovn northd" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6641'] fw_details[key]['proto'] = "tcp" key = "ovn_southd_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ovn southd" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6642'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details # We also need to open VXLAN/GRE port for agent if (use_openvswitch_vxlan(config) or use_openvswitch_gre(config) or use_ovn_geneve(config)): if config['CONFIG_IP_VERSION'] == 'ipv6': msg = output_messages.WARN_IPV6_OVS messages.append(utils.color_text(msg % host, 'red')) fw_details = dict() if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']): tunnel_subnets = map( str.strip, config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',')) cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host.replace('.', '_')) for subnet in tunnel_subnets: tunnel_fw_details(config, host, subnet, fw_details) config[cf_fw_nt_key] = fw_details else: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host.replace('.', '_')) for n_host in network_hosts | compute_hosts: if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']: if config['CONFIG_USE_SUBNETS'] == 'y': iface = common.cidr_to_ifname( config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host, config) else: iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF'] ifip = ("ipaddress_%s" % iface) ifip = re.sub('[\.\-\:]', '_', ifip) try: src_host = config['HOST_DETAILS'][n_host][ifip] except KeyError: raise KeyError('Couldn\'t detect ipaddress of ' 'interface %s on node %s' % (iface, n_host)) else: src_host = n_host tunnel_fw_details(config, host, src_host, fw_details) config[cf_fw_nt_key] = fw_details
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL'] if migrate_protocol == 'ssh': config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+ssh://nova@%s/system?no_verify=1&' 'keyfile=/etc/nova/ssh/nova_migration_key' ) else: config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+tcp://nova@%s/system' ) ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details if config['CONFIG_VMWARE_BACKEND'] == 'y': vcenters = [i.strip() for i in config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',') if i.strip()] if not vcenters: raise exceptions.ParamValidationError( "Please specify at least one VMware vCenter cluster in" " CONFIG_VCENTER_CLUSTER_NAMES" ) if len(vcenters) != len(compute_hosts): if len(vcenters) > 1: raise exceptions.ParamValidationError( "Number of vmware clusters %s is not same" " as number of nova computes %s", (vcenters, compute_hosts) ) else: vcenters = len(compute_hosts) * [vcenters[0]] vmware_clusters = dict(zip(compute_hosts, vcenters)) config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters for host in compute_hosts: if config['CONFIG_IRONIC_INSTALL'] == 'y': cm = 'ironic.nova.compute.manager.ClusteredComputeManager' config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm fw_details = dict() cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details if config['CONFIG_NEUTRON_INSTALL'] != 'y': key = 'CONFIG_NOVA_COMPUTE_PRIVIF' if not config[key].strip(): config[key] = dummy_interface(host) if config['CONFIG_USE_SUBNETS'] == 'y': netface = common.cidr_to_ifname( config[key], host, config ) else: netface = config[key] check_ifcfg(host, netface) try: bring_up_ifcfg(host, netface) except exceptions.ScriptRuntimeError as ex: # just warn user to do it by himself messages.append(str(ex)) if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL'] if migrate_protocol == 'ssh': config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+ssh://nova@%s/system?no_verify=1&' 'keyfile=/etc/nova/ssh/nova_migration_key' ) else: config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+tcp://nova@%s/system' ) ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details if config['CONFIG_VMWARE_BACKEND'] == 'y': vcenters = [i.strip() for i in config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',') if i.strip()] if not vcenters: raise exceptions.ParamValidationError( "Please specify at least one VMware vCenter cluster in" " CONFIG_VCENTER_CLUSTER_NAMES" ) if len(vcenters) != len(compute_hosts): if len(vcenters) > 1: raise exceptions.ParamValidationError( "Number of vmware clusters %s is not same" " as number of nova computes %s", (vcenters, compute_hosts) ) else: vcenters = len(compute_hosts) * [vcenters[0]] vmware_clusters = dict(zip(compute_hosts, vcenters)) config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters for host in compute_hosts: if config['CONFIG_IRONIC_INSTALL'] == 'y': cm = 'ironic.nova.compute.manager.ClusteredComputeManager' config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm fw_details = dict() cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details if config['CONFIG_NEUTRON_INSTALL'] != 'y': key = 'CONFIG_NOVA_COMPUTE_PRIVIF' if not config[key].strip(): config[key] = dummy_interface(host) if config['CONFIG_USE_SUBNETS'] == 'y': netface = common.cidr_to_ifname( config[key], host, config ) else: netface = config[key] check_ifcfg(host, netface) try: bring_up_ifcfg(host, netface) except exceptions.ScriptRuntimeError as ex: # just warn user to do it by himself messages.append(str(ex)) if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifest(config, messages): horizon_host = config['CONFIG_CONTROLLER_HOST'] manifestfile = "%s_horizon.pp" % horizon_host proto = "http" config["CONFIG_HORIZON_PORT"] = 80 sslmanifestdata = '' if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_HORIZON_PORT"] = 443 proto = "https" # Are we using the users cert/key files if config["CONFIG_HORIZON_SSL_CERT"]: ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] ssl_chain_file = config["CONFIG_HORIZON_SSL_CACERT"] if not os.path.exists(ssl_cert_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_cert_file) if not os.path.exists(ssl_key_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_key_file) if not os.path.exists(ssl_chain_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_chain_file) final_cert = open(ssl_cert_file, 'rt').read() final_key = open(ssl_key_file, 'rt').read() final_cacert = open(ssl_chain_file, 'rt').read() host = config['CONFIG_CONTROLLER_HOST'] deliver_ssl_file(final_cacert, ssl_chain_file, host) deliver_ssl_file(final_cert, ssl_cert_file, host) deliver_ssl_file(final_key, ssl_key_file, host) else: ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] = ( '/etc/pki/tls/certs/ssl_dashboard.crt') ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] = ( '/etc/pki/tls/private/ssl_dashboard.key') cacert = config['CONFIG_SSL_CACERT'] config["CONFIG_HORIZON_SSL_CACERT"] = cacert ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'dashboard' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) messages.append( "%sNOTE%s : A certificate was generated to be used for ssl, " "You should change the ssl certificate configured in " "/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert." % (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host)) config["CONFIG_HORIZON_NEUTRON_LB"] = False config["CONFIG_HORIZON_NEUTRON_FW"] = False config["CONFIG_HORIZON_NEUTRON_VPN"] = False if config['CONFIG_NEUTRON_INSTALL'] == 'y': if config["CONFIG_LBAAS_INSTALL"] == 'y': config["CONFIG_HORIZON_NEUTRON_LB"] = True if config["CONFIG_NEUTRON_FWAAS"] == 'y': config["CONFIG_HORIZON_NEUTRON_FW"] = True if config["CONFIG_NEUTRON_VPNAAS"] == 'y': config["CONFIG_HORIZON_NEUTRON_VPN"] = True manifestdata = getManifestTemplate("horizon") appendManifestFile(manifestfile, manifestdata) msg = ("To access the OpenStack Dashboard browse to %s://%s/dashboard .\n" "Please, find your login credentials stored in the keystonerc_admin" " in your home directory." % (proto, config['CONFIG_CONTROLLER_HOST'])) messages.append(msg)
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL'] if migrate_protocol == 'ssh': config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+ssh://nova@%s/system?no_verify=1&' 'keyfile=/etc/nova/ssh/nova_migration_key' ) else: config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+tcp://nova@%s/system' ) ssh_hostkeys = '' ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details ssh_hostkeys += getManifestTemplate("sshkey") for host in compute_hosts: if config['CONFIG_IRONIC_INSTALL'] == 'y': cm = 'ironic.nova.compute.manager.ClusteredComputeManager' config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm manifestdata = getManifestTemplate("nova_compute") fw_details = dict() cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details manifestdata += createFirewallResources(cf_fw_qemu_mig_key) if config['CONFIG_VMWARE_BACKEND'] == 'y': manifestdata += getManifestTemplate("nova_compute_vmware.pp") elif config['CONFIG_IRONIC_INSTALL'] == 'y': manifestdata += getManifestTemplate("nova_compute_ironic.pp") else: manifestdata += getManifestTemplate("nova_compute_libvirt.pp") if (config['CONFIG_VMWARE_BACKEND'] != 'y' and config['CONFIG_CINDER_INSTALL'] == 'y' and 'gluster' in config['CONFIG_CINDER_BACKEND']): manifestdata += getManifestTemplate("nova_gluster") if (config['CONFIG_VMWARE_BACKEND'] != 'y' and config['CONFIG_CINDER_INSTALL'] == 'y' and 'nfs' in config['CONFIG_CINDER_BACKEND']): manifestdata += getManifestTemplate("nova_nfs") manifestfile = "%s_nova.pp" % host if config['CONFIG_NEUTRON_INSTALL'] != 'y': if host not in network_hosts: manifestdata += getManifestTemplate('nova_compute_flat') if config['CONFIG_USE_SUBNETS'] == 'y': netface = common.cidr_to_ifname( config['CONFIG_NOVA_COMPUTE_PRIVIF'], host, config ) else: netface = config['CONFIG_NOVA_COMPUTE_PRIVIF'] check_ifcfg(host, netface) try: bring_up_ifcfg(host, netface) except ScriptRuntimeError as ex: # just warn user to do it by himself messages.append(str(ex)) if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) mq_template = get_mq(config, "nova_ceilometer") manifestdata += getManifestTemplate(mq_template) manifestdata += getManifestTemplate("nova_ceilometer") fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details manifestdata += "\n" + createFirewallResources( 'FIREWALL_NOVA_COMPUTE_RULES' ) manifestdata += "\n" + ssh_hostkeys appendManifestFile(manifestfile, manifestdata)
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" config["CONFIG_NOVA_ALLOW_RESIZE_TO_SAME"] = len(compute_hosts) == 1 ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details if config['CONFIG_VMWARE_BACKEND'] == 'y': vcenters = [i.strip() for i in config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',') if i.strip()] if not vcenters: raise exceptions.ParamValidationError( "Please specify at least one VMware vCenter cluster in" " CONFIG_VCENTER_CLUSTER_NAMES" ) if len(vcenters) != len(compute_hosts): if len(vcenters) > 1: raise exceptions.ParamValidationError( "Number of vmware clusters %s is not same" " as number of nova computes %s", (vcenters, compute_hosts) ) else: vcenters = len(compute_hosts) * [vcenters[0]] vmware_clusters = dict(zip(compute_hosts, vcenters)) config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters for host in compute_hosts: fw_details = dict() cf_fw_qemu_mig_key = ("FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host.replace('.', '_')) for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifest(config, messages): horizon_host = config['CONFIG_CONTROLLER_HOST'] manifestfile = "%s_horizon.pp" % horizon_host proto = "http" config["CONFIG_HORIZON_PORT"] = 80 sslmanifestdata = '' if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_HORIZON_PORT"] = 443 proto = "https" # Are we using the users cert/key files if config["CONFIG_HORIZON_SSL_CERT"]: ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] ssl_chain_file = config["CONFIG_HORIZON_SSL_CACERT"] if not os.path.exists(ssl_cert_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_cert_file) if not os.path.exists(ssl_key_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_key_file) if not os.path.exists(ssl_chain_file): raise exceptions.ParamValidationError( "The file %s doesn't exist" % ssl_chain_file) final_cert = open(ssl_cert_file, 'rt').read() final_key = open(ssl_key_file, 'rt').read() final_cacert = open(ssl_chain_file, 'rt').read() host = config['CONFIG_CONTROLLER_HOST'] deliver_ssl_file(final_cacert, ssl_chain_file, host) deliver_ssl_file(final_cert, ssl_cert_file, host) deliver_ssl_file(final_key, ssl_key_file, host) else: ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] = ( '/etc/pki/tls/certs/ssl_dashboard.crt' ) ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] = ( '/etc/pki/tls/private/ssl_dashboard.key' ) cacert = config['CONFIG_SSL_CACERT'] config["CONFIG_HORIZON_SSL_CACERT"] = cacert ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'dashboard' generate_ssl_cert(config, ssl_host, service, ssl_key_file, ssl_cert_file) messages.append( "%sNOTE%s : A certificate was generated to be used for ssl, " "You should change the ssl certificate configured in " "/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert." % (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host)) config["CONFIG_HORIZON_NEUTRON_LB"] = False config["CONFIG_HORIZON_NEUTRON_FW"] = False config["CONFIG_HORIZON_NEUTRON_VPN"] = False if config['CONFIG_NEUTRON_INSTALL'] == 'y': if config["CONFIG_LBAAS_INSTALL"] == 'y': config["CONFIG_HORIZON_NEUTRON_LB"] = True if config["CONFIG_NEUTRON_FWAAS"] == 'y': config["CONFIG_HORIZON_NEUTRON_FW"] = True if config["CONFIG_NEUTRON_VPNAAS"] == 'y': config["CONFIG_HORIZON_NEUTRON_VPN"] = True manifestdata = getManifestTemplate("horizon") manifestdata += getManifestTemplate("apache_ports") appendManifestFile(manifestfile, manifestdata) msg = ("To access the OpenStack Dashboard browse to %s://%s/dashboard .\n" "Please, find your login credentials stored in the keystonerc_admin" " in your home directory." % (proto, config['CONFIG_CONTROLLER_HOST'])) messages.append(msg)
def create_manifests(config, messages): global q_hosts service_plugins = [] if config['CONFIG_LBAAS_INSTALL'] == 'y': service_plugins.append('lbaas') # ML2 uses the L3 Router service plugin to implement l3 agent service_plugins.append('router') if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y': service_plugins.append('metering') if config['CONFIG_NEUTRON_FWAAS'] == 'y': service_plugins.append('firewall') if config['CONFIG_NEUTRON_VPNAAS'] == 'y': service_plugins.append('vpnaas') config['SERVICE_PLUGINS'] = (service_plugins if service_plugins else 'undef') plugin_manifest = 'neutron_ml2_plugin' if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_neutron.crt') ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_neutron.key') service = 'neutron' for host in q_hosts: if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) manifest_file = "%s_neutron.pp" % (host, ) manifest_data = getManifestTemplate("neutron") manifest_data += getManifestTemplate(get_mq(config, "neutron")) appendManifestFile(manifest_file, manifest_data, 'neutron') if host in api_hosts: manifest_file = "%s_neutron.pp" % (host, ) manifest_data = getManifestTemplate("neutron_api") if config['CONFIG_NOVA_INSTALL'] == 'y': template_name = "neutron_notifications" manifest_data += getManifestTemplate(template_name) # Set up any l2 plugin configs we need only on neutron api nodes # XXX I am not completely sure about this, but it seems necessary: manifest_data += getManifestTemplate(plugin_manifest) # Firewall fw_details = dict() key = "neutron_server_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "neutron server" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9696'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details manifest_data += createFirewallResources( 'FIREWALL_NEUTRON_SERVER_RULES') appendManifestFile(manifest_file, manifest_data, 'neutron') # We also need to open VXLAN/GRE port for agent manifest_data = "" if use_openvswitch_vxlan(config) or use_openvswitch_gre(config): if config['CONFIG_IP_VERSION'] == 'ipv6': msg = output_messages.WARN_IPV6_OVS messages.append(utils.color_text(msg % host, 'red')) if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']): tunnel_subnets = map( str.strip, config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',')) for subnet in tunnel_subnets: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" % (host, subnet)) config[cf_fw_nt_key] = tunnel_fw_details( config, host, subnet) manifest_data += createFirewallResources(cf_fw_nt_key) else: for n_host in network_hosts | compute_hosts: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" % (host, n_host)) if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']: if config['CONFIG_USE_SUBNETS'] == 'y': iface = common.cidr_to_ifname( config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host, config) else: iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF'] ifip = ("ipaddress_%s" % iface) try: src_host = config['HOST_DETAILS'][n_host][ifip] except KeyError: raise KeyError('Couldn\'t detect ipaddress of ' 'interface %s on node %s' % (iface, n_host)) else: src_host = n_host config[cf_fw_nt_key] = tunnel_fw_details( config, host, src_host) manifest_data += createFirewallResources(cf_fw_nt_key) appendManifestFile(manifest_file, manifest_data, 'neutron')
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL'] if migrate_protocol == 'ssh': config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+ssh://nova@%s/system?no_verify=1&' 'keyfile=/etc/nova/ssh/nova_migration_key') else: config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = ( 'qemu+tcp://nova@%s/system') ssh_hostkeys = '' ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details ssh_hostkeys += getManifestTemplate("sshkey") for host in compute_hosts: if config['CONFIG_IRONIC_INSTALL'] == 'y': cm = 'ironic.nova.compute.manager.ClusteredComputeManager' config['CONFIG_NOVA_COMPUTE_MANAGER'] = cm manifestdata = getManifestTemplate("nova_compute") fw_details = dict() cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details manifestdata += createFirewallResources(cf_fw_qemu_mig_key) if config['CONFIG_VMWARE_BACKEND'] == 'y': manifestdata += getManifestTemplate("nova_compute_vmware.pp") elif config['CONFIG_IRONIC_INSTALL'] == 'y': manifestdata += getManifestTemplate("nova_compute_ironic.pp") else: manifestdata += getManifestTemplate("nova_compute_libvirt.pp") if (config['CONFIG_VMWARE_BACKEND'] != 'y' and config['CONFIG_CINDER_INSTALL'] == 'y' and 'gluster' in config['CONFIG_CINDER_BACKEND']): manifestdata += getManifestTemplate("nova_gluster") if (config['CONFIG_VMWARE_BACKEND'] != 'y' and config['CONFIG_CINDER_INSTALL'] == 'y' and 'nfs' in config['CONFIG_CINDER_BACKEND']): manifestdata += getManifestTemplate("nova_nfs") manifestfile = "%s_nova.pp" % host if config['CONFIG_NEUTRON_INSTALL'] != 'y': if host not in network_hosts: manifestdata += getManifestTemplate('nova_compute_flat') if config['CONFIG_USE_SUBNETS'] == 'y': netface = common.cidr_to_ifname( config['CONFIG_NOVA_COMPUTE_PRIVIF'], host, config) else: netface = config['CONFIG_NOVA_COMPUTE_PRIVIF'] check_ifcfg(host, netface) try: bring_up_ifcfg(host, netface) except ScriptRuntimeError as ex: # just warn user to do it by himself messages.append(str(ex)) if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt') ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key') ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) mq_template = get_mq(config, "nova_ceilometer") manifestdata += getManifestTemplate(mq_template) manifestdata += getManifestTemplate("nova_ceilometer") fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details manifestdata += "\n" + createFirewallResources( 'FIREWALL_NOVA_COMPUTE_RULES') manifestdata += "\n" + ssh_hostkeys appendManifestFile(manifestfile, manifestdata)
def create_manifests(config, messages): global q_hosts service_plugins = ['qos', 'trunk'] service_providers = [] if config['CONFIG_LBAAS_INSTALL'] == 'y': lbaas_plugin = ('neutron_lbaas.services.loadbalancer.plugin.' 'LoadBalancerPluginv2') service_plugins.append(lbaas_plugin) lbaas_sp = ('LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.' 'plugin_driver.HaproxyOnHostPluginDriver:default') service_providers.append(lbaas_sp) if use_ml2_with_ovn(config): service_plugins.append('ovn-router') else: # ML2 uses the L3 Router service plugin to implement l3 agent for linuxbridge and ovs service_plugins.append('router') if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y': service_plugins.append('metering') if config['CONFIG_NEUTRON_FWAAS'] == 'y': service_plugins.append('firewall') fwaas_sp = ('FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.' 'OVSHybridIptablesFirewallDriver:default') service_providers.append(fwaas_sp) if config['CONFIG_NEUTRON_VPNAAS'] == 'y': service_plugins.append('vpnaas') vpnaas_sp = ('VPN:libreswan:neutron_vpnaas.services.vpn.' 'service_drivers.ipsec.IPsecVPNDriver:default') service_providers.append(vpnaas_sp) config['SERVICE_PLUGINS'] = (service_plugins if service_plugins else 'undef') config['SERVICE_PROVIDERS'] = (service_providers if service_providers else []) config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall." "OVSHybridIptablesFirewallDriver") plugin_manifest = 'neutron_ml2_plugin' if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_neutron.crt' ) ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_neutron.key' ) service = 'neutron' for host in q_hosts: if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) if host in api_hosts: # Firewall fw_details = dict() key = "neutron_server_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "neutron server" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9696'] fw_details[key]['proto'] = "tcp" if use_ml2_with_ovn(config): key = "ovn_northd_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ovn northd" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6641'] fw_details[key]['proto'] = "tcp" key = "ovn_southd_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "ovn southd" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['6642'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details # We also need to open VXLAN/GRE port for agent if (use_openvswitch_vxlan(config) or use_openvswitch_gre(config) or use_ovn_geneve(config)): if config['CONFIG_IP_VERSION'] == 'ipv6': msg = output_messages.WARN_IPV6_OVS messages.append(utils.color_text(msg % host, 'red')) fw_details = dict() if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']): tunnel_subnets = map( str.strip, config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',') ) cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host) for subnet in tunnel_subnets: tunnel_fw_details(config, host, subnet, fw_details) config[cf_fw_nt_key] = fw_details else: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s" % host) for n_host in network_hosts | compute_hosts: if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']: if config['CONFIG_USE_SUBNETS'] == 'y': iface = common.cidr_to_ifname( config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host, config) else: iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF'] ifip = ("ipaddress_%s" % iface) ifip = re.sub('[\.\-\:]', '_', ifip) try: src_host = config['HOST_DETAILS'][n_host][ifip] except KeyError: raise KeyError('Couldn\'t detect ipaddress of ' 'interface %s on node %s' % (iface, n_host)) else: src_host = n_host tunnel_fw_details(config, host, src_host, fw_details) config[cf_fw_nt_key] = fw_details
def create_compute_manifest(config, messages): global compute_hosts, network_hosts if config["CONFIG_HORIZON_SSL"] == 'y': config["CONFIG_VNCPROXY_PROTOCOL"] = "https" else: config["CONFIG_VNCPROXY_PROTOCOL"] = "http" config["CONFIG_NOVA_ALLOW_RESIZE_TO_SAME"] = len(compute_hosts) == 1 ssh_keys_details = {} for host in compute_hosts: try: hostname, aliases, addrs = socket.gethostbyaddr(host) except socket.herror: hostname, aliases, addrs = (host, [], []) for hostkey in config['HOST_KEYS_%s' % host].split('\n'): hostkey = hostkey.strip() if not hostkey: continue _, host_key_type, host_key_data = hostkey.split() key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type config['SSH_KEYS'] = ssh_keys_details if config['CONFIG_VMWARE_BACKEND'] == 'y': vcenters = [i.strip() for i in config['CONFIG_VCENTER_CLUSTER_NAMES'].split(',') if i.strip()] if not vcenters: raise exceptions.ParamValidationError( "Please specify at least one VMware vCenter cluster in" " CONFIG_VCENTER_CLUSTER_NAMES" ) if len(vcenters) != len(compute_hosts): if len(vcenters) > 1: raise exceptions.ParamValidationError( "Number of vmware clusters %s is not same" " as number of nova computes %s", (vcenters, compute_hosts) ) else: vcenters = len(compute_hosts) * [vcenters[0]] vmware_clusters = dict(zip(compute_hosts, vcenters)) config['CONFIG_VCENTER_CLUSTERS'] = vmware_clusters for host in compute_hosts: fw_details = dict() cf_fw_qemu_mig_key = "FIREWALL_NOVA_QEMU_MIG_RULES_%s" % host for c_host in compute_hosts: key = "nova_qemu_migration_%s_%s" % (host, c_host) fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % c_host fw_details[key]['service_name'] = "nova qemu migration" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['16509', '49152-49215'] fw_details[key]['proto'] = "tcp" config[cf_fw_qemu_mig_key] = fw_details if config['CONFIG_CEILOMETER_INSTALL'] == 'y': if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt' ) ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_ceilometer.key' ) ssl_host = config['CONFIG_CONTROLLER_HOST'] service = 'ceilometer' generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) fw_details = dict() key = "nova_compute" fw_details.setdefault(key, {}) fw_details[key]['host'] = "%s" % config['CONFIG_CONTROLLER_HOST'] fw_details[key]['service_name'] = "nova compute" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['5900-5999'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NOVA_COMPUTE_RULES'] = fw_details
def create_manifests(config, messages): global q_hosts service_plugins = [] if config['CONFIG_LBAAS_INSTALL'] == 'y': service_plugins.append('lbaas') # ML2 uses the L3 Router service plugin to implement l3 agent service_plugins.append('router') if config['CONFIG_NEUTRON_METERING_AGENT_INSTALL'] == 'y': service_plugins.append('metering') if config['CONFIG_NEUTRON_FWAAS'] == 'y': service_plugins.append('firewall') if config['CONFIG_NEUTRON_VPNAAS'] == 'y': service_plugins.append('vpnaas') config['SERVICE_PLUGINS'] = (service_plugins if service_plugins else 'undef') config['FIREWALL_DRIVER'] = ("neutron.agent.linux.iptables_firewall." "OVSHybridIptablesFirewallDriver") plugin_manifest = 'neutron_ml2_plugin' if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = ( '/etc/pki/tls/certs/ssl_amqp_neutron.crt' ) ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = ( '/etc/pki/tls/private/ssl_amqp_neutron.key' ) service = 'neutron' for host in q_hosts: if config['CONFIG_AMQP_ENABLE_SSL'] == 'y': generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file) manifest_file = "%s_neutron.pp" % (host,) manifest_data = getManifestTemplate("neutron") manifest_data += getManifestTemplate(get_mq(config, "neutron")) appendManifestFile(manifest_file, manifest_data, 'neutron') if host in api_hosts: manifest_file = "%s_neutron.pp" % (host,) manifest_data = getManifestTemplate("neutron_api") if config['CONFIG_NOVA_INSTALL'] == 'y': template_name = "neutron_notifications" manifest_data += getManifestTemplate(template_name) # Set up any l2 plugin configs we need only on neutron api nodes # XXX I am not completely sure about this, but it seems necessary: manifest_data += getManifestTemplate(plugin_manifest) # Firewall fw_details = dict() key = "neutron_server_%s" % host fw_details.setdefault(key, {}) fw_details[key]['host'] = "ALL" fw_details[key]['service_name'] = "neutron server" fw_details[key]['chain'] = "INPUT" fw_details[key]['ports'] = ['9696'] fw_details[key]['proto'] = "tcp" config['FIREWALL_NEUTRON_SERVER_RULES'] = fw_details manifest_data += createFirewallResources( 'FIREWALL_NEUTRON_SERVER_RULES' ) appendManifestFile(manifest_file, manifest_data, 'neutron') # We also need to open VXLAN/GRE port for agent manifest_data = "" if use_openvswitch_vxlan(config) or use_openvswitch_gre(config): if config['CONFIG_IP_VERSION'] == 'ipv6': msg = output_messages.WARN_IPV6_OVS messages.append(utils.color_text(msg % host, 'red')) if (config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS']): tunnel_subnets = map( str.strip, config['CONFIG_NEUTRON_OVS_TUNNEL_SUBNETS'].split(',') ) for subnet in tunnel_subnets: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" % (host, subnet)) config[cf_fw_nt_key] = tunnel_fw_details(config, host, subnet) manifest_data += createFirewallResources(cf_fw_nt_key) else: for n_host in network_hosts | compute_hosts: cf_fw_nt_key = ("FIREWALL_NEUTRON_TUNNEL_RULES_%s_%s" % (host, n_host)) if config['CONFIG_NEUTRON_OVS_TUNNEL_IF']: if config['CONFIG_USE_SUBNETS'] == 'y': iface = common.cidr_to_ifname( config['CONFIG_NEUTRON_OVS_TUNNEL_IF'], n_host, config) else: iface = config['CONFIG_NEUTRON_OVS_TUNNEL_IF'] ifip = ("ipaddress_%s" % iface) try: src_host = config['HOST_DETAILS'][n_host][ifip] except KeyError: raise KeyError('Couldn\'t detect ipaddress of ' 'interface %s on node %s' % (iface, n_host)) else: src_host = n_host config[cf_fw_nt_key] = tunnel_fw_details(config, host, src_host) manifest_data += createFirewallResources(cf_fw_nt_key) appendManifestFile(manifest_file, manifest_data, 'neutron')