blob: 7df62e083a5a300c1a8d6feab25b4b8d9b0597fd [file] [log] [blame]
Filip Pytloun923d8692015-10-06 16:28:32 +02001
OlgaGusarenko769c8192018-07-30 18:16:44 +03002=====
3Usage
4=====
Filip Pytloun923d8692015-10-06 16:28:32 +02005
Jakub Pavlik3bed97a2016-05-20 11:16:08 +02006Heat is the main project in the OpenStack Orchestration program. It implements
7an orchestration engine to launch multiple composite cloud applications based
8on templates in the form of text files that can be treated like code. A native
9Heat template format is evolving, but Heat also endeavours to provide
10compatibility with the AWS CloudFormation template format, so that many
11existing CloudFormation templates can be launched on OpenStack. Heat provides
12both an OpenStack-native ReST API and a CloudFormation-compatible Query API.
Filip Pytloun923d8692015-10-06 16:28:32 +020013
Aleš Komárekd13365c2017-04-11 13:13:37 +020014Sample Pillars
Filip Pytloun923d8692015-10-06 16:28:32 +020015==============
16
OlgaGusarenko769c8192018-07-30 18:16:44 +030017Single Heat services on the controller node:
Filip Pytloun923d8692015-10-06 16:28:32 +020018
19.. code-block:: yaml
20
21 heat:
22 server:
23 enabled: true
24 version: icehouse
Jakub Pavlik51e15e02016-03-12 13:32:26 +010025 region: RegionOne
Filip Pytloun923d8692015-10-06 16:28:32 +020026 bind:
27 metadata:
28 address: 10.0.106.10
29 port: 8000
Oleksii Chupryncd1be6f2017-04-07 09:30:26 +030030 protocol: http
Filip Pytloun923d8692015-10-06 16:28:32 +020031 waitcondition:
32 address: 10.0.106.10
33 port: 8000
Oleksii Chupryncd1be6f2017-04-07 09:30:26 +030034 protocol: http
Filip Pytloun923d8692015-10-06 16:28:32 +020035 watch:
36 address: 10.0.106.10
37 port: 8003
Oleksii Chupryncd1be6f2017-04-07 09:30:26 +030038 protocol: http
Filip Pytloun923d8692015-10-06 16:28:32 +020039 cloudwatch:
40 host: 10.0.106.20
41 api:
42 host: 10.0.106.20
43 api_cfn:
44 host: 10.0.106.20
45 database:
46 engine: mysql
47 host: 10.0.106.20
48 port: 3306
49 name: heat
50 user: heat
51 password: password
52 identity:
53 engine: keystone
54 host: 10.0.106.20
55 port: 35357
56 tenant: service
57 user: heat
58 password: password
Dennis Dmitriev09650272017-03-09 17:51:00 +020059 endpoint_type_default: internalURL
60 endpoint_type_heat: publicURL
Filip Pytloun923d8692015-10-06 16:28:32 +020061 message_queue:
62 engine: rabbitmq
63 host: 10.0.106.20
64 port: 5672
65 user: openstack
66 password: password
67 virtual_host: '/openstack'
68 ha_queues: True
Dmitry Stremkouskib3d83a92017-11-08 16:01:18 +030069 max_stacks_per_tenant: 150
Dmitry Stremkouski9cacd162017-11-08 16:39:38 +030070 max_nested_stack_depth: 10
Filip Pytloun923d8692015-10-06 16:28:32 +020071
OlgaGusarenko769c8192018-07-30 18:16:44 +030072Define server clients Keystone parameter:
Ondrej Smola24ae6a82017-07-18 10:53:14 +020073
74.. code-block:: yaml
75
76 heat:
77 server:
78 clients:
79 keystone:
80 protocol: https
81 host: 10.0.106.10
82 port: 5000
83 insecure: false
84
Martin Polreichb24076f2018-08-27 10:42:45 +020085Server with auth_encryption_key defined:
86
87.. code-block:: yaml
88
89 heat:
90 server:
91 ....
Martin Polreich4d7af432018-08-28 10:43:40 +020092 auth_encryption_key: "KeyToEncrypt-hasToBeExact32Chars"
Martin Polreichb24076f2018-08-27 10:42:45 +020093 ....
94
OlgaGusarenko769c8192018-07-30 18:16:44 +030095Enable CORS parameters:
Ondrej Smola70f29342017-04-28 12:58:06 +020096
97.. code-block:: yaml
98
99 heat:
100 server:
101 cors:
102 allowed_origin: https:localhost.local,http:localhost.local
103 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
104 allow_methods: GET,PUT,POST,DELETE,PATCH
105 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
106 allow_credentials: True
107 max_age: 86400
108
OlgaGusarenko769c8192018-07-30 18:16:44 +0300109Heat client with specified git templates:
Filip Pytloun923d8692015-10-06 16:28:32 +0200110
111.. code-block:: yaml
112
113 heat:
114 client:
115 enabled: true
Jiri Broulikb2ef3282017-02-07 22:33:30 +0100116 template:
117 admin:
118 domain: default
119 source:
120 engine: git
121 address: git@repo.domain.com/admin-templates.git
122 revision: master
123 default:
124 domain: default
125 source:
126 engine: git
127 address: git@repo.domain.com/default-templates.git
128 revision: master
129
OlgaGusarenko769c8192018-07-30 18:16:44 +0300130Ceilometer notification:
Filip Pytloun923d8692015-10-06 16:28:32 +0200131
132.. code-block:: yaml
133
134 heat:
135 server:
136 enabled: true
137 version: icehouse
138 notification: true
139
OlgaGusarenko769c8192018-07-30 18:16:44 +0300140Configuration of ``policy.json`` file:
Dmitry Ukovf3f33a82017-05-05 11:56:46 +0400141
142.. code-block:: yaml
143
144 heat:
145 server:
146 ....
147 policy:
148 deny_stack_user: 'not role:heat_stack_user'
149 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
150 # Add key without value to remove line from policy.json
151 'cloudformation:DescribeStackResource':
152
OlgaGusarenko769c8192018-07-30 18:16:44 +0300153Client-side RabbitMQ HA setup:
Jiri Konecnyf94dd922016-04-20 12:09:22 +0200154
155.. code-block:: yaml
156
157 heat:
158 server:
159 ....
160 message_queue:
161 engine: rabbitmq
162 members:
163 - host: 10.0.16.1
164 - host: 10.0.16.2
165 - host: 10.0.16.3
166 user: openstack
167 password: pwd
168 virtual_host: '/openstack'
169 ....
170
Kirill Bespalov00da2512017-11-21 13:21:21 +0300171Configuring TLS communications
172-------------------------------
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300173
OlgaGusarenko769c8192018-07-30 18:16:44 +0300174.. note:: By default, system-wide installed CA certs are used, so the
175 ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300176
OlgaGusarenko769c8192018-07-30 18:16:44 +0300177- **RabbitMQ TLS**
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300178
OlgaGusarenko769c8192018-07-30 18:16:44 +0300179 .. code-block:: yaml
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300180
OlgaGusarenko769c8192018-07-30 18:16:44 +0300181 heat:
Kirill Bespalov00da2512017-11-21 13:21:21 +0300182 server:
OlgaGusarenko769c8192018-07-30 18:16:44 +0300183 message_queue:
184 port: 5671
185 ssl:
186 enabled: True
187 (optional) cacert: cert body if the cacert_file does not exists
188 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
189 (optional) version: TLSv1_2
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300190
OlgaGusarenko769c8192018-07-30 18:16:44 +0300191- **MySQL TLS**
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300192
OlgaGusarenko769c8192018-07-30 18:16:44 +0300193 .. code-block:: yaml
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300194
OlgaGusarenko769c8192018-07-30 18:16:44 +0300195 heat:
196 server:
197 database:
198 ssl:
199 enabled: True
200 (optional) cacert: cert body if the cacert_file does not exists
201 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300202
OlgaGusarenko769c8192018-07-30 18:16:44 +0300203- **Openstack HTTPS API**
204
205 .. code-block:: yaml
206
207 heat:
Kirill Bespalov00da2512017-11-21 13:21:21 +0300208 server:
OlgaGusarenko769c8192018-07-30 18:16:44 +0300209 identity:
210 protocol: https
211 (optional) cacert_file: /etc/openstack/proxy.pem
212 clients:
213 keystone:
214 protocol: https
215 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov27d20ca2017-08-06 15:43:28 +0300216
Dmitry Kalashnik1c26ac02017-12-06 13:37:19 +0400217Enhanced logging with logging.conf
218----------------------------------
219
220By default logging.conf is disabled.
221
222That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik1c26ac02017-12-06 13:37:19 +0400223
OlgaGusarenko769c8192018-07-30 18:16:44 +0300224* ``openstack_log_appender``
225 Set to true to enable ``log_config_append`` for all OpenStack services
Dmitry Kalashnik1c26ac02017-12-06 13:37:19 +0400226
OlgaGusarenko769c8192018-07-30 18:16:44 +0300227* ``openstack_fluentd_handler_enabled``
228 Set to true to enable ``FluentHandler`` for all Openstack services
229
230* ``openstack_ossyslog_handler_enabled``
231 Set to true to enable ``OSSysLogHandler`` for all Openstack services
232
233Only `WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler`` are
234available.
235
236Also, it is possible to configure this with pillar:
Dmitry Kalashnik1c26ac02017-12-06 13:37:19 +0400237
238.. code-block:: yaml
239
240 heat:
241 server:
242 logging:
243 log_appender: true
244 log_handlers:
245 watchedfile:
246 enabled: true
247 fluentd:
248 enabled: true
Oleksii Chupryn99a3e1b2018-02-07 09:40:30 +0200249 ossyslog:
250 enabled: true
Jiri Konecnyf94dd922016-04-20 12:09:22 +0200251
Oleksandr Shyshko60a2b872018-08-30 17:23:24 +0300252Enable x509 and ssl communication between Heat and Galera cluster.
253---------------------
254By default communication between Heat and Galera is unsecure.
255
Oleksandr Shyshko17b3e8e2018-09-07 13:55:28 +0300256heat:
257 server:
258 database:
259 x509:
260 enabled: True
261
Oleksandr Shyshko60a2b872018-08-30 17:23:24 +0300262You able to set custom certificates in pillar:
Oleksandr Shyshko60a2b872018-08-30 17:23:24 +0300263
264heat:
265 server:
266 database:
267 x509:
Oleksandr Shyshko17b3e8e2018-09-07 13:55:28 +0300268 cacert: (certificate content)
269 cert: (certificate content)
270 key: (certificate content)
Oleksandr Shyshko60a2b872018-08-30 17:23:24 +0300271
272You can read more about it here:
273 https://docs.openstack.org/security-guide/databases/database-access-control.html
274
Oleksandr Bryndziicfd9f8b2018-10-04 11:56:54 +0300275Heat services with memcached caching and security strategy:
276
277.. code-block:: yaml
278
279 heat:
280 server:
281 enabled: true
282 ...
283 cache:
284 engine: memcached
285 members:
286 - host: 127.0.0.1
287 port: 11211
288 - host: 127.0.0.1
289 port: 11211
290 security:
291 enabled: true
292 strategy: ENCRYPT
293 secret_key: secret
Vasyl Saienkoa08bd592018-09-10 10:47:25 +0000294Upgrades
295========
296
297Each openstack formula provide set of phases (logical bloks) that will help to
298build flexible upgrade orchestration logic for particular components. The list
299of phases and theirs descriptions are listed in table below:
300
301+-------------------------------+------------------------------------------------------+
302| State | Description |
303+===============================+======================================================+
304| <app>.upgrade.service_running | Ensure that all services for particular application |
305| | are enabled for autostart and running |
306+-------------------------------+------------------------------------------------------+
307| <app>.upgrade.service_stopped | Ensure that all services for particular application |
308| | disabled for autostart and dead |
309+-------------------------------+------------------------------------------------------+
310| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
311| | are installed to latest available version. |
312| | This will not upgrade data plane packages like qemu |
313| | and openvswitch as usually minimal required version |
314| | in openstack services is really old. The data plane |
315| | packages should be upgraded separately by `apt-get |
316| | upgrade` or `apt-get dist-upgrade` |
317| | Applying this state will not autostart service. |
318+-------------------------------+------------------------------------------------------+
319| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
320+-------------------------------+------------------------------------------------------+
321| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
322| | cloud before running upgrade. |
323| | Only non destructive actions will be applied during |
324| | this phase. Perform service built in service check |
325| | like (keystone-manage doctor and nova-status upgrade)|
326+-------------------------------+------------------------------------------------------+
327| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
328| | phase resources will be gracefully removed from |
329| | current node if it is allowed. Services for upgraded |
330| | application will be set to admin disabled state to |
331| | make sure node will not participate in resources |
332| | scheduling. For example on gtw nodes this will set |
333| | all agents to admin disable state and will move all |
334| | routers to other agents. |
335+-------------------------------+------------------------------------------------------+
336| <app>.upgrade.upgrade | This state will basically upgrade application on |
337| | particular target. Stop services, render |
338| | configuration, install new packages, run offline |
339| | dbsync (for ctl), start services. Data plane should |
340| | not be affected, only OpenStack python services. |
341+-------------------------------+------------------------------------------------------+
342| <app>.upgrade.upgrade.post | Add services back to scheduling. |
343+-------------------------------+------------------------------------------------------+
344| <app>.upgrade.post | This phase should be launched only when upgrade of |
345| | the cloud is completed. Cleanup temporary files, |
346| | perform other post upgrade tasks. |
347+-------------------------------+------------------------------------------------------+
348| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
349| | operations, verify do not have dead network |
350| | agents/compute services) |
351+-------------------------------+------------------------------------------------------+
352
Filip Pytloundc94d872017-02-02 13:02:03 +0100353Documentation and Bugs
354======================
355
OlgaGusarenko769c8192018-07-30 18:16:44 +0300356* http://salt-formulas.readthedocs.io/
357 Learn how to install and update salt-formulas
Filip Pytloundc94d872017-02-02 13:02:03 +0100358
OlgaGusarenko769c8192018-07-30 18:16:44 +0300359* https://github.com/salt-formulas/salt-formula-heat/issues
360 In the unfortunate event that bugs are discovered, report the issue to the
361 appropriate issue tracker. Use the Github issue tracker for a specific salt
362 formula
Filip Pytloundc94d872017-02-02 13:02:03 +0100363
OlgaGusarenko769c8192018-07-30 18:16:44 +0300364* https://launchpad.net/salt-formulas
365 For feature requests, bug reports, or blueprints affecting the entire
366 ecosystem, use the Launchpad salt-formulas project
Filip Pytloundc94d872017-02-02 13:02:03 +0100367
OlgaGusarenko769c8192018-07-30 18:16:44 +0300368* https://launchpad.net/~salt-formulas-users
369 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloundc94d872017-02-02 13:02:03 +0100370
OlgaGusarenko769c8192018-07-30 18:16:44 +0300371* https://github.com/salt-formulas/salt-formula-heat
372 Develop the salt-formulas projects in the master branch and then submit pull
373 requests against a specific formula
Filip Pytloundc94d872017-02-02 13:02:03 +0100374
OlgaGusarenko769c8192018-07-30 18:16:44 +0300375* #salt-formulas @ irc.freenode.net
376 Use this IRC channel in case of any questions or feedback which is always
377 welcome
Filip Pytloundc94d872017-02-02 13:02:03 +0100378