Rush has uploaded a new change for review. https://gerrit.wikimedia.org/r/254056
Change subject: WIP: hiera-ize labs openstack nova configuration ...................................................................... WIP: hiera-ize labs openstack nova configuration This is not the ultimate final state. Change-Id: I57f52537ad8ff326160a678b7a182cb64807bcc9 --- M hieradata/common.yaml M hieradata/eqiad.yaml M manifests/role/ceilometer.pp M manifests/role/horizon.pp M manifests/role/labs/openstack/nova.pp M manifests/role/nodepool.pp M modules/role/manifests/salt/masters/labs.pp 7 files changed, 117 insertions(+), 204 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/56/254056/1 diff --git a/hieradata/common.yaml b/hieradata/common.yaml index f1bc271..fffa883 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -267,7 +267,39 @@ # LABS -labs_designate_hostname: "holmium.wikimedia.org" -labs_nova_api_host: "labnet1002.eqiad.wmnet" -labs_nova_network_host: "labnet1002" -labs_nova_network_ip: "10.64.20.25" +labs_designate_hostname: &labsdesignatehostname "holmium.wikimedia.org" +labs_nova_api_host: &labsnovaapihost "labnet1002.eqiad.wmnet" +labs_nova_network_host: &labsnovanetworkhost "labnet1002" +labs_nova_network_ip: &labsnovanetworkip "10.64.20.25" +status_wiki_host_master: 'wikitech.wikimedia.org' + +# By default, don't allow projects to allocate public IPs; this way we can +# let users have network admin rights, for firewall rules and such, and can +# give them public ips by increasing their quota +novaconfig: + network_host: *labsnovanetworkip + api_host: *labsnovaapihost + db_name: 'nova' + db_user: 'nova' + ceilometer_db_name: 'ceilometer' + ldap_base_dn: 'dc=wikimedia,dc=org' + ldap_user_dn: 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' + ldap_proxyagent: 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' + puppet_db_name: 'puppet' + puppet_db_user: 'puppet' + quota_floating_ips: '0' + libvirt_type: 'kvm' + my_ip: "%{::ipaddress_eth0}" + zone: "${::site}" + network_public_interface: 'eth0' + dhcp_domain: "${::site}.wmflabs" + network_flat_interface: 'eth1.1102' + network_flat_tagged_base_interface: 'eth1' + network_flat_interface_vlan: '1102' + flat_network_bridge: 'br1102' + live_migration_uri: "qemu://%s.${::site}.wmnet/system?pkipath=/var/lib/nova" + fixed_range: '10.68.16.0/21' + dhcp_start: '10.68.16.4' + network_public_ip: '208.80.155.255' + dmz_cidr: '208.80.155.0/22,10.0.0.0/8' + diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml index f17b200..62e2967 100644 --- a/hieradata/eqiad.yaml +++ b/hieradata/eqiad.yaml @@ -26,26 +26,6 @@ # ganglia_aggregators: carbon.wikimedia.org:9649 -# -# Labs -# -labs_nova_controller: "labcontrol1001.wikimedia.org" -# _spare is a duplicate/backup controller. In theory it has the -# same state as the main controller -labs_nova_controller_spare: "labcontrol1002.wikimedia.org" -# _other is the controller in the other datacenter -labs_nova_controller_other: "labcontrol2001.wikimedia.org" -labs_glance_controller: "labcontrol1001.wikimedia.org" -labs_puppet_master: "labs-puppetmaster-eqiad.wikimedia.org" -labs_keystone_host: "labcontrol1001.wikimedia.org" -# These are the old, soon-to-be-phased-out dns servers: -labs_ldap_dns_host: "labs-ns0.wikimedia.org" -labs_ldap_dns_host_secondary: "labs-ns1.wikimedia.org" -# These are the up-and-coming, better dns servers: -labs_dns_host: "labs-ns2.wikimedia.org" -labs_recursor: "labs-recursor0.wikimedia.org" -labs_designate_hostname_secondary: "labservices1001.wikimedia.org" - # Eventlogging eventlogging_host: 10.64.32.167 # eventlog1001 @@ -76,3 +56,43 @@ - conf1001.eqiad.wmnet - conf1002.eqiad.wmnet - conf1003.eqiad.wmnet + +# +# Labs +# + +labs_nova_controller: &labsnovacontroller "labcontrol1001.wikimedia.org" +# _spare is a duplicate/backup controller. In theory it has the +# same state as the main controller +labs_nova_controller_spare: &labsnovacontrollerspare "labcontrol1002.wikimedia.org" + +# _other is the controller in the other datacenter +labs_nova_controller_other: &labsnovacontrollerother "labcontrol2001.wikimedia.org" +labs_glance_controller: &labsglancecontroller "labcontrol1001.wikimedia.org" +labs_puppet_master: &labspuppetmaster "labs-puppetmaster-eqiad.wikimedia.org" +labs_keystone_host: &labskeystonehost "labcontrol1001.wikimedia.org" + +# These are the old, soon-to-be-phased-out dns servers: +labs_ldap_dns_host: &labsldapdnshost "labs-ns0.wikimedia.org" +labs_ldap_dns_host_secondary: &labsldapdnshostsecondary "labs-ns1.wikimedia.org" + +# These are the up-and-coming, better dns servers: +labs_dns_host: &labsdnshost "labs-ns2.wikimedia.org" +labs_recursor: &labsrecursor "labs-recursor0.wikimedia.org" +labs_designate_hostname_secondary: &labs_designate_hostname_secondary "labservices1001.wikimedia.org" +designate_hostname: $designatehostname 'holmium.wikimedia.org' + +novaconfig: + db_host: 'm5-master.eqiad.wmnet' + glance_host: *labsnovacontroller + rabbit_host: *labsnovacontroller + cc_host: *labsnovacontroller + site_address: '208.80.155.255' + controller_hostname: *labsnovacontroller + ldap_host: *labsnovacontroller + puppet_host: *labsnovacontroller + puppet_db_host: *labsnovacontroller + +keystone: + auth_port: '35357' + auth_protocol: 'http' diff --git a/manifests/role/ceilometer.pp b/manifests/role/ceilometer.pp index 9e5eac3..b60b59b 100644 --- a/manifests/role/ceilometer.pp +++ b/manifests/role/ceilometer.pp @@ -1,6 +1,6 @@ class role::ceilometer::controller { - include role::labs::openstack::nova::config - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig class { 'openstack::ceilometer::controller': openstack_version => $::openstack_version, @@ -9,8 +9,8 @@ } class role::ceilometer::compute { - include role::labs::openstack::nova::config - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig class { 'openstack::ceilometer::compute': openstack_version => $::openstack_version, diff --git a/manifests/role/horizon.pp b/manifests/role/horizon.pp index 0b7c6ad..287ce4e 100644 --- a/manifests/role/horizon.pp +++ b/manifests/role/horizon.pp @@ -1,6 +1,6 @@ class role::horizon { - include role::labs::openstack::nova::config - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig class { 'openstack::horizon::service': openstack_version => $::openstack_version, diff --git a/manifests/role/labs/openstack/nova.pp b/manifests/role/labs/openstack/nova.pp index 1a58aeb..713049b 100644 --- a/manifests/role/labs/openstack/nova.pp +++ b/manifests/role/labs/openstack/nova.pp @@ -1,158 +1,30 @@ -class role::labs::openstack::nova::config { - - include role::labs::openstack::nova::config::eqiad - include role::labs::openstack::nova::config::codfw - - $novaconfig = $::site ? { - 'eqiad' => $role::labs::openstack::nova::config::eqiad::novaconfig, - 'codfw' => $role::labs::openstack::nova::config::codfw::novaconfig, - } -} - -class role::labs::openstack::nova::config::common { - - require openstack - include passwords::openstack::nova - include passwords::openstack::ceilometer - include passwords::labs::rabbitmq - - $commonnovaconfig = { - db_name => 'nova', - db_user => 'nova', - db_pass => $passwords::openstack::nova::nova_db_pass, - metadata_pass => $passwords::openstack::nova::nova_metadata_pass, - rabbit_user => $passwords::labs::rabbitmq::rabbit_userid, - rabbit_pass => $passwords::labs::rabbitmq::rabbit_password, - ceilometer_user => $passwords::openstack::ceilometer::db_user, - ceilometer_pass => $passwords::openstack::ceilometer::db_pass, - ceilometer_secret_key => $passwords::openstack::ceilometer::secret_key, - ceilometer_db_name => 'ceilometer', - my_ip => $::ipaddress_eth0, - ldap_base_dn => 'dc=wikimedia,dc=org', - ldap_user_dn => 'uid=novaadmin,ou=people,dc=wikimedia,dc=org', - ldap_user_pass => $passwords::openstack::nova::nova_ldap_user_pass, - ldap_proxyagent => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org', - ldap_proxyagent_pass => $passwords::openstack::nova::nova_ldap_proxyagent_pass, - controller_mysql_root_pass => $passwords::openstack::nova::controller_mysql_root_pass, - puppet_db_name => 'puppet', - puppet_db_user => 'puppet', - puppet_db_pass => $passwords::openstack::nova::nova_puppet_user_pass, - # By default, don't allow projects to allocate public IPs; this way we can - # let users have network admin rights, for firewall rules and such, and can - # give them public ips by increasing their quota - quota_floating_ips => '0', - libvirt_type => 'kvm', - } -} - -class role::labs::openstack::nova::config::codfw inherits role::labs::openstack::nova::config::common { - - include role::labs::openstack::keystone::config::eqiad - - $nova_controller = hiera('labs_nova_controller') - $keystoneconfig = $role::labs::openstack::keystone::config::eqiad::keystoneconfig - $controller_hostname = $nova_controller - $controller_address = ipresolve($nova_controller, 4) - $designate_hostname = 'holmium.wikimedia.org' - - $codfwnovaconfig = { - db_host => $controller_hostname, - dhcp_domain => 'codfw.wmflabs', - glance_host => $controller_hostname, - rabbit_host => $controller_hostname, - cc_host => $controller_hostname, - designate_hostname => $designate_hostname, - network_flat_interface => 'eth1.1102', - network_flat_tagged_base_interface => 'eth1', - network_flat_interface_vlan => '1102', - flat_network_bridge => 'br1102', - network_public_interface => 'eth0', - network_host => hiera('labs_nova_network_ip'), - api_host => hiera('labs_nova_api_host'), - api_ip => ipresolve(hiera('labs_nova_api_host'),4), - fixed_range => '10.68.16.0/21', - dhcp_start => '10.68.16.4', - network_public_ip => '208.80.155.255', - dmz_cidr => '208.80.155.0/22,10.0.0.0/8', - auth_uri => "http://${nova_controller}:5000", - controller_hostname => $controller_hostname, - controller_address => $controller_address, - ldap_host => $controller_hostname, - puppet_host => $controller_hostname, - puppet_db_host => $controller_hostname, - live_migration_uri => 'qemu://%s.codfw.wmnet/system?pkipath=/var/lib/nova', - zone => 'codfw', - keystone_admin_token => $keystoneconfig['admin_token'], - keystone_auth_host => $keystoneconfig['bind_ip'], - keystone_auth_protocol => $keystoneconfig['auth_protocol'], - keystone_auth_port => $keystoneconfig['auth_port'], - } - - $novaconfig = merge( $codfwnovaconfig, $commonnovaconfig ) -} - -class role::labs::openstack::nova::config::eqiad inherits role::labs::openstack::nova::config::common { - - include role::labs::openstack::keystone::config::eqiad - - $nova_controller = hiera('labs_nova_controller') - $keystoneconfig = $role::labs::openstack::keystone::config::eqiad::keystoneconfig - $controller_hostname = $nova_controller - $designate_hostname ='holmium.wikimedia.org' - $controller_address = ipresolve($nova_controller,4) - - $eqiadnovaconfig = { - db_host => 'm5-master.eqiad.wmnet', - dhcp_domain => 'eqiad.wmflabs', - glance_host => $controller_hostname, - rabbit_host => $controller_hostname, - cc_host => $controller_hostname, - designate_hostname => $designate_hostname, - network_flat_interface => 'eth1.1102', - network_flat_tagged_base_interface => 'eth1', - network_flat_interface_vlan => '1102', - flat_network_bridge => 'br1102', - network_public_interface => 'eth0', - network_host => hiera('labs_nova_network_ip'), - api_host => hiera('labs_nova_api_host'), - api_ip => ipresolve(hiera('labs_nova_api_host'),4), - fixed_range => '10.68.16.0/21', - dhcp_start => '10.68.16.4', - network_public_ip => '208.80.155.255', - dmz_cidr => '208.80.155.0/22,10.0.0.0/8', - auth_uri => "http://${nova_controller}:5000", - controller_hostname => $controller_hostname, - controller_address => $controller_address, - ldap_host => $controller_hostname, - puppet_host => $controller_hostname, - puppet_db_host => $controller_hostname, - live_migration_uri => 'qemu://%s.eqiad.wmnet/system?pkipath=/var/lib/nova', - zone => 'eqiad', - keystone_admin_token => $keystoneconfig['admin_token'], - keystone_auth_host => $keystoneconfig['bind_ip'], - keystone_auth_protocol => $keystoneconfig['auth_protocol'], - keystone_auth_port => $keystoneconfig['auth_port'], - } - - if ( $::hostname == hiera('labs_nova_network_host') ) { - $networkconfig = { - network_flat_interface => 'eth1.1102', - network_flat_tagged_base_interface => 'eth1', - } - $novaconfig = merge( $eqiadnovaconfig, $commonnovaconfig, $networkconfig ) - } else { - $novaconfig = merge( $eqiadnovaconfig, $commonnovaconfig ) - } -} - class role::labs::openstack::nova::common { include passwords::misc::scripts - include role::labs::openstack::nova::config include role::labs::openstack::nova::wikiupdates - $status_wiki_host_master = 'wikitech.wikimedia.org' - $novaconfig = $role::labs::openstack::nova::config::novaconfig + $novaconfig = hiera_hash('novaconfig', {}) + $keystone = hiera_hash('keystone', {}) + + $keystone_host = hiera('labs_keystone_host') + $nova_controller = hiera('labs_nova_controller') + $nova_api_host = hiera('labs_nova_api_host') + $network_host = hiera('labs_nova_network_host') + $status_wiki_host_master = hiera('status_wiki_host_master') + + $novaconfig['bind_ip'] = ipresolve($keystone_host,4) + $novaconfig['keystone_auth_port'] = $keystone['auth_port'] + $novaconfig['keystone_admin_token'] = $keystone['admin_token'] + $novaconfig['keystone_auth_protocol'] = $keystone['auth_protocol'] + + $novaconfig['auth_uri'] = "http://${nova_controller}:5000" + $novaconfig['api_ip'] = ipresolve($nova_api_host,4) + $novaconfig['controller_address'] = ipresolve($nova_controller,4) + + if ( $::hostname == $network_host ) { + $novaconfig['network_flat_interface'] = 'eth1.1102' + $novaconfig['network_flat_tagged_base_interface'] = 'eth1' + } class { '::openstack::common': novaconfig => $novaconfig, @@ -169,13 +41,13 @@ # This is the wikitech UI class role::labs::openstack::nova::manager { - include role::labs::openstack::nova::config include ::nutcracker::monitoring include ::mediawiki::packages::php5 include ::mediawiki::cgroup include ::scap::scripts - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig case $::realm { 'production': { @@ -242,14 +114,12 @@ class role::labs::openstack::nova::controller { require openstack - include role::labs::openstack::nova::config include role::labs::puppetmaster - include role::labs::openstack::keystone::config::eqiad include role::labs::openstack::glance::config::eqiad include role::labs::openstack::nova::wikiupdates - include role::labs::openstack::nova::common - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig $glanceconfig = $::site ? { 'eqiad' => $role::labs::openstack::glance::config::eqiad::glanceconfig, @@ -288,10 +158,8 @@ class role::labs::openstack::nova::api { require openstack - include role::labs::openstack::nova::config include role::labs::openstack::nova::common - - $novaconfig = $role::labs::openstack::nova::config::novaconfig + $novaconfig = $role::labs::openstack::nova::common::novaconfig class { '::openstack::nova::api': novaconfig => $novaconfig, @@ -308,19 +176,13 @@ class role::labs::openstack::nova::network { require openstack - include role::labs::openstack::nova::config include role::labs::openstack::nova::common include role::labs::openstack::nova::wikiupdates - - $novaconfig = $role::labs::openstack::nova::config::novaconfig - - $site_address = $::site ? { - 'eqiad' => '208.80.155.255', - } + $novaconfig = $role::labs::openstack::nova::common::novaconfig interface::ip { 'openstack::network_service_public_dynamic_snat': interface => 'lo', - address => $site_address, + address => $novaconfig['site_address'], } interface::tagged { $novaconfig['network_flat_interface']: @@ -368,9 +230,9 @@ } require openstack - include role::labs::openstack::nova::config include role::labs::openstack::nova::common - $novaconfig = $role::labs::openstack::nova::config::novaconfig + $novaconfig = $role::labs::openstack::nova::common::novaconfig + ganglia::plugin::python {'diskstat': } diff --git a/manifests/role/nodepool.pp b/manifests/role/nodepool.pp index fdae43f..103675d 100644 --- a/manifests/role/nodepool.pp +++ b/manifests/role/nodepool.pp @@ -8,10 +8,9 @@ system::role { 'role::nodepool': description => 'CI Nodepool' } - include role::labs::openstack::nova::config include passwords::nodepool - - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig # dib scripts git::clone { 'integration/config': diff --git a/modules/role/manifests/salt/masters/labs.pp b/modules/role/manifests/salt/masters/labs.pp index 7dcdfd0..5ba865f 100644 --- a/modules/role/manifests/salt/masters/labs.pp +++ b/modules/role/manifests/salt/masters/labs.pp @@ -26,8 +26,8 @@ if ! defined(Class['puppetmaster::certmanager']) { - include role::labs::openstack::nova::config - $novaconfig = $role::labs::openstack::nova::config::novaconfig + include role::labs::openstack::nova::common + $novaconfig = $role::labs::openstack::nova::common::novaconfig class { 'puppetmaster::certmanager': remote_cert_cleaner => $novaconfig['designate_hostname'], -- To view, visit https://gerrit.wikimedia.org/r/254056 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I57f52537ad8ff326160a678b7a182cb64807bcc9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Rush <r...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits