Merge "Fix wrong config_drive_cdrom option placement in nova config file"
diff --git a/README.rst b/README.rst
index 56ecdb1..2a8ace1 100644
--- a/README.rst
+++ b/README.rst
@@ -71,6 +71,8 @@
audit:
enabled: false
osapi_max_limit: 500
+ barbican:
+ enabled: true
Nova services from custom package repository
@@ -146,6 +148,16 @@
# Add key without value to remove line from policy.json
'compute:create:attach_network':
+Enable Barbican integration
+
+.. code-block:: yaml
+
+ nova:
+ controller:
+ ....
+ barbican:
+ enabled: true
+
Client-side RabbitMQ TLS configuration:
---------------------------------------
@@ -367,6 +379,17 @@
- /dev/sdj
- /dev/sdh
+Enable Barbican integration
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ ....
+ barbican:
+ enabled: true
+
+
Client role
-----------
diff --git a/nova/compute.sls b/nova/compute.sls
index af88b85..07fdfe2 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -186,12 +186,41 @@
pkg.installed:
- name: ceph-common
+{%- if compute.ceph.cinder_secret_uuid is defined and compute.ceph.cinder_volumes_key is defined %}
+
+{%- set cinder_volumes_key = salt['grains.get']("ceph:ceph_keyring:"+compute.ceph.cinder_volumes_key+":key", '') %}
+
+{%- if cinder_volumes_key != '' %}
+
+/etc/secret_cinder.xml:
+ file.managed:
+ - source: salt://nova/files/secret_cinder.xml
+ - template: jinja
+
+ceph_virsh_secret_define_cinder:
+ cmd.run:
+ - name: "virsh secret-define --file /etc/secret_cinder.xml"
+ - unless: "virsh secret-list | grep {{ compute.ceph.cinder_secret_uuid }}"
+ - require:
+ - file: /etc/secret_cinder.xml
+
+ceph_virsh_secret_set_value_cinder:
+ cmd.run:
+ - name: "virsh secret-set-value --secret {{ compute.ceph.cinder_secret_uuid }} --base64 {{ cinder_volumes_key }} "
+ - unless: "virsh secret-get-value {{ compute.ceph.cinder_secret_uuid }} | grep {{ cinder_volumes_key }}"
+ - require:
+ - cmd: ceph_virsh_secret_define_cinder
+
+{% endif %}
+
+{% endif %}
+
/etc/secret.xml:
file.managed:
- source: salt://nova/files/secret.xml
- template: jinja
-ceph_virsh_secret_define:
+ceph_virsh_secret_define_nova:
cmd.run:
- name: "virsh secret-define --file /etc/secret.xml"
- unless: "virsh secret-list | grep {{ compute.ceph.secret_uuid }}"
@@ -202,21 +231,21 @@
{%- if client_cinder_key != '' %}
-ceph_virsh_secret_set_value:
+ceph_virsh_secret_set_value_nova:
cmd.run:
- name: "virsh secret-set-value --secret {{ compute.ceph.secret_uuid }} --base64 {{ client_cinder_key }} "
- unless: "virsh secret-get-value {{ compute.ceph.secret_uuid }} | grep {{ client_cinder_key }}"
- require:
- - cmd: ceph_virsh_secret_define
+ - cmd: ceph_virsh_secret_define_nova
{% else %}
-ceph_virsh_secret_set_value:
+ceph_virsh_secret_set_value_nova:
cmd.run:
- name: "virsh secret-set-value --secret {{ compute.ceph.secret_uuid }} --base64 {{ compute.ceph.client_cinder_key }} "
- unless: "virsh secret-get-value {{ compute.ceph.secret_uuid }} | grep {{ compute.ceph.client_cinder_key }}"
- require:
- - cmd: ceph_virsh_secret_define
+ - cmd: ceph_virsh_secret_define_nova
{% endif %}
diff --git a/nova/files/mitaka/nova-compute.conf.Debian b/nova/files/mitaka/nova-compute.conf.Debian
index cb5db64..e43e8ba 100644
--- a/nova/files/mitaka/nova-compute.conf.Debian
+++ b/nova/files/mitaka/nova-compute.conf.Debian
@@ -121,6 +121,9 @@
libvirt_inject_password=True
block_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_NON_SHARED_INC
live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_PERSIST_DEST
+{%- if compute.libvirt.migration_inbound_addr is defined %}
+live_migration_inbound_addr = {{ compute.libvirt.migration_inbound_addr }}
+{%- endif %}
libvirt_inject_key=True
inject_key=False
vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver
diff --git a/nova/files/newton/nova-compute.conf.Debian b/nova/files/newton/nova-compute.conf.Debian
index 5d04fe1..7050864 100644
--- a/nova/files/newton/nova-compute.conf.Debian
+++ b/nova/files/newton/nova-compute.conf.Debian
@@ -164,6 +164,9 @@
libvirt_inject_password=True
block_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_NON_SHARED_INC
live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE,VIR_MIGRATE_PERSIST_DEST
+{%- if compute.libvirt.migration_inbound_addr is defined %}
+live_migration_inbound_addr = {{ compute.libvirt.migration_inbound_addr }}
+{%- endif %}
libvirt_inject_key=True
inject_key=False
vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver
diff --git a/nova/files/ocata/nova-compute.conf.Debian b/nova/files/ocata/nova-compute.conf.Debian
index 2e2d276..ab59964 100644
--- a/nova/files/ocata/nova-compute.conf.Debian
+++ b/nova/files/ocata/nova-compute.conf.Debian
@@ -3477,7 +3477,7 @@
# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
#pool_timeout=<None>
-
+{%- if compute.get('barbican', {}).get('enabled', False) %}
[barbican]
#
@@ -3492,7 +3492,7 @@
#barbican_api_version=<None>
# Use this endpoint to connect to Keystone (string value)
-#auth_endpoint=http://localhost:5000/v3
+auth_endpoint={{ compute.identity.get('protocol', 'http') }}://{{ compute.identity.get('host', 'localhost') }}:{{ compute.identity.get('port', '5000') }}/v3
# Number of seconds to wait before retrying poll for key creation completion
# (integer value)
@@ -3500,7 +3500,7 @@
# Number of times to retry poll for key creation completion (integer value)
#number_of_retries=60
-
+{%- endif %}
[cache]
@@ -5069,7 +5069,11 @@
# * The options in the `key_manager` group, as the key_manager is used
# for the signature validation.
# (boolean value)
+{%- if compute.get('barbican', {}).get('enabled', False) %}
+verify_glance_signatures=true
+{%- else %}
#verify_glance_signatures=false
+{%- endif %}
# Enable or disable debug logging with glanceclient. (boolean value)
#debug=false
@@ -5601,7 +5605,9 @@
#fixed_key=<None>
# The full class name of the key manager API class (string value)
-#api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- if compute.get('barbican', {}).get('enabled', False) %}
+api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- endif %}
# The type of authentication credential to create. Possible values are 'token',
# 'password', 'keystone_token', and 'keystone_password'. Required if no context
@@ -6147,6 +6153,9 @@
# * A valid IP address or hostname, else None.
# (string value)
#live_migration_inbound_addr=<None>
+{%- if compute.libvirt.migration_inbound_addr is defined %}
+live_migration_inbound_addr = {{ compute.libvirt.migration_inbound_addr }}
+{%- endif %}
# DEPRECATED:
# Live migration target URI to use.
diff --git a/nova/files/ocata/nova-controller.conf.Debian b/nova/files/ocata/nova-controller.conf.Debian
index ee7bcc3..9287087 100644
--- a/nova/files/ocata/nova-controller.conf.Debian
+++ b/nova/files/ocata/nova-controller.conf.Debian
@@ -3477,7 +3477,9 @@
#barbican_api_version=<None>
# Use this endpoint to connect to Keystone (string value)
-#auth_endpoint=http://localhost:5000/v3
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+auth_endpoint={{ controller.identity.get('protocol', 'http') }}://{{ controller.identity.get('host', 'localhost') }}:{{ controller.identity.get('port', '5000') }}/v3
+{%- endif %}
# Number of seconds to wait before retrying poll for key creation completion
# (integer value)
@@ -5090,7 +5092,11 @@
# * The options in the `key_manager` group, as the key_manager is used
# for the signature validation.
# (boolean value)
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+verify_glance_signatures=true
+{%- else %}
#verify_glance_signatures=false
+{%- endif %}
# Enable or disable debug logging with glanceclient. (boolean value)
#debug=false
@@ -5618,7 +5624,9 @@
#fixed_key=<None>
# The full class name of the key manager API class (string value)
-#api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- if controller.get('barbican', {}).get('enabled', False) %}
+api_class=castellan.key_manager.barbican_key_manager.BarbicanKeyManager
+{%- endif %}
# The type of authentication credential to create. Possible values are 'token',
# 'password', 'keystone_token', and 'keystone_password'. Required if no context
diff --git a/nova/files/secret.xml b/nova/files/secret.xml
index 19e55c8..aacd09e 100644
--- a/nova/files/secret.xml
+++ b/nova/files/secret.xml
@@ -4,4 +4,4 @@
<usage type='ceph'>
<name>client.{{ compute.ceph.get('rbd_user', 'cinder') }} secret</name>
</usage>
-</secret>
+</secret>
\ No newline at end of file
diff --git a/nova/files/secret_cinder.xml b/nova/files/secret_cinder.xml
new file mode 100644
index 0000000..01e4dda
--- /dev/null
+++ b/nova/files/secret_cinder.xml
@@ -0,0 +1,4 @@
+{%- from "nova/map.jinja" import compute with context %}
+<secret ephemeral='no' private='no'>
+ <uuid>{{ compute.ceph.cinder_secret_uuid }}</uuid>
+</secret>
diff --git a/nova/map.jinja b/nova/map.jinja
index f725112..d8610f6 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -114,5 +114,9 @@
'error_log_rate': {
'warn': 0.2,
},
+ 'services_failed_warning_threshold_percent': 0.3,
+ 'services_failed_critical_threshold_percent': 0.6,
+ 'computes_failed_warning_threshold_percent': 0.25,
+ 'computes_failed_critical_threshold_percent': 0.5,
},
}, grain='os_family', merge=salt['pillar.get']('nova:monitoring')) %}
diff --git a/nova/meta/grafana.yml b/nova/meta/grafana.yml
index 7c352c3..336fa8c 100644
--- a/nova/meta/grafana.yml
+++ b/nova/meta/grafana.yml
@@ -77,7 +77,7 @@
alias: "Fatal"
rawQuery: true
query: SELECT count(max) FROM openstack_nova_http_response_times WHERE environment_label = '$environment' AND http_status = '5xx' AND $timeFilter
- main:
+ main_influxdb:
datasource: influxdb
row:
ost-control-plane:
@@ -106,3 +106,18 @@
cluster_status:
rawQuery: true
query: SELECT last(value) FROM cluster_status WHERE cluster_name = 'nova-data' AND environment_label = '$environment' AND $timeFilter GROUP BY time($interval) fill(null)
+ main_prometheus:
+ datasource: prometheus
+ row:
+ ost-control-plane:
+ title: OpenStack Control Plane
+ panel:
+ nova:
+ title: Nova
+ links:
+ - dashboard: Nova
+ title: Nova
+ type: dashboard
+ target:
+ cluster_status:
+ expr: avg(openstack_api_check_status{service="nova"})
diff --git a/nova/meta/prometheus.yml b/nova/meta/prometheus.yml
index c9d1a8d..8599418 100644
--- a/nova/meta/prometheus.yml
+++ b/nova/meta/prometheus.yml
@@ -41,7 +41,7 @@
annotations:
summary: "Endpoint check for '{{ $labels.service }}' is down"
description: >-
- Endpoint check for '{{ $labels.service }}' is down for 2 minutes
+ Endpoint check for '{{ $labels.service }}' is down for the last 2 minutes
NovaAPIServiceDown:
if: >-
http_response_status{service=~"nova-api"} == 0
@@ -52,30 +52,30 @@
annotations:
summary: "HTTP check for '{{ $labels.service }}' down"
description: >-
- The HTTP check for '{{ $labels.service }}' is down on {{ $labels.host }} for 2 minutes.
- NovaSomeServicesDown:
+ The HTTP check for '{{ $labels.service }}' is down on {{ $labels.host }} for the last 2 minutes.
+ NovaServicesWarning:
if: >-
- openstack_nova_services{state="down",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} > 0 and ignoring(state) openstack_nova_services{state="up",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} >= 2
+ openstack_nova_services{state="down",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} >= on (service) sum(openstack_nova_services{service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"}) by (service) * {%- endraw %} {{monitoring.services_failed_warning_threshold_percent}} {%- raw %}
for: 2m
labels:
severity: warning
service: "{{ $labels.service }}"
annotations:
- summary: "Some {{ $labels.service }} services down"
+ summary: "More than {%- endraw %} {{monitoring.services_failed_warning_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down"
description: >-
- {{ $value }} '{{ $labels.service }}' service(s) is/are down for 2 minutes
- NovaOnlyOneServiceUp:
+ More than {%- endraw %} {{monitoring.services_failed_warning_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down for the last 2 minutes
+ NovaServicesCritical:
if: >-
- openstack_nova_services{state="up",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} == 1 and ignoring(state) openstack_nova_services{state=~"down|disabled",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} > 0
+ openstack_nova_services{state="down",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} >= on (service) sum(openstack_nova_services{service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"}) by (service) * {%- endraw %} {{monitoring.services_failed_critical_threshold_percent}} {%- raw %}
for: 2m
labels:
severity: critical
service: "{{ $labels.service }}"
annotations:
- summary: "Only one {{ $labels.service }} service up"
+ summary: "More than {%- endraw %} {{monitoring.services_failed_critical_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down"
description: >-
- Only one '{{ $labels.service }}' service is up for 2 minutes
- NovaAllServicesDown:
+ More than {%- endraw %} {{monitoring.services_failed_critical_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down for the last 2 minutes
+ NovaServicesDown:
if: >-
openstack_nova_services{state="up",service=~"nova-cert|nova-conductor|nova-consoleauth|nova-scheduler"} == 0
for: 2m
@@ -85,30 +85,30 @@
annotations:
summary: "All {{ $labels.service }} services down"
description: >-
- All '{{ $labels.service }}' services are down for 2 minutes
- NovaSomeComputesDown:
+ All '{{ $labels.service }}' services are down for the last 2 minutes
+ NovaComputesWarning:
if: >-
- openstack_nova_services{state="down",service=~"nova-compute"} > 0
+ openstack_nova_services{state="down",service=~"nova-compute"} >= on (service) sum(openstack_nova_services{service=~"nova-compute"}) by (service) * {%- endraw %} {{monitoring.computes_failed_warning_threshold_percent}} {%- raw %}
for: 2m
labels:
severity: warning
service: "{{ $labels.service }}"
annotations:
- summary: "Some {{ $labels.service }} services down"
+ summary: "More than {%- endraw %} {{monitoring.computes_failed_warning_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down"
description: >-
- {{ $value }} '{{ $labels.service }}' service(s) is/are down for 2 minutes
- NovaMajorityComputesDown:
+ More than {%- endraw %} {{monitoring.computes_failed_warning_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down for the last 2 minutes
+ NovaComputesCritical:
if: >-
- openstack_nova_services_percent{state="down",service=~"nova-compute"} > 50
+ openstack_nova_services_percent{state="down",service=~"nova-compute"} >= on (service) sum(openstack_nova_services{service=~"nova-compute"}) by (service) * {%- endraw %} {{monitoring.computes_failed_critical_threshold_percent}} {%- raw %}
for: 2m
labels:
severity: critical
service: "{{ $labels.service }}"
annotations:
- summary: "Only one {{ $labels.service }} service up"
+ summary: "More than {%- endraw %} {{monitoring.computes_failed_critical_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down"
description: >-
- Only one '{{ $labels.service }}' service is up for 2 minutes
- NovaAllComputesDown:
+ More than {%- endraw %} {{monitoring.computes_failed_critical_threshold_percent*100}}%{%- raw %} of {{ $labels.service }} services are down for the last 2 minutes
+ NovaComputesDown:
if: >-
openstack_nova_services{state="up",service=~"nova-compute"} == 0
for: 2m
@@ -116,9 +116,9 @@
severity: down
service: "{{ $labels.service }}"
annotations:
- summary: "All {{ $labels.service }} services down"
+ summary: "All {{ $labels.service }} services are down"
description: >-
- All '{{ $labels.service }}' services are down for 2 minutes
+ All '{{ $labels.service }}' services are down for the last 2 minutes
NovaTotalFreeVCPUsLow:
if: >-
(100.0 * openstack_nova_total_free_vcpus) / (openstack_nova_total_free_vcpus + openstack_nova_total_used_vcpus) < 10.0
diff --git a/tests/pillar/compute_cluster.sls b/tests/pillar/compute_cluster.sls
index b027101..e200640 100644
--- a/tests/pillar/compute_cluster.sls
+++ b/tests/pillar/compute_cluster.sls
@@ -75,4 +75,5 @@
images_volume_group: nova_vg
volume_clear: zero
volume_clear_size: 0
-
+ barbican:
+ enabled: true
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 07cb450..d057d1b 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -64,3 +64,5 @@
'compute:create:attach_network':
upgrade_levels:
compute: liberty
+ barbican:
+ enabled: true