Templates for OpenStack Antelope version

Main changes compared to Yoga templates:

- All API services, except Keystone, handled by uwsgi instead of the
  openstack-xxx-api service (recommended configuration)
- https terminated by a Nginx proxy for all API services, including
  the WSGI apps run into Apache (Keystone, Horizon)

Author: jouvin

defaults/openstack/config.pan

@@ -120,8 +120,8 @@ function openstack_add_component_dependency = {
 
 @documentation {
 
-This function returns the value receive in argument if it is defined, null
-otherwise. It is a helper for assigning optional values to the schema.
+    This function returns the value received in argument if it is defined, null
+    otherwise. It is a helper for assigning optional values to the schema.
 
 }
 function openstack_add_if_defined = {
@@ -137,3 +137,35 @@ function openstack_add_if_defined = {
         null;
     };
 };
+
+
+@documentation {
+
+    This function returns a filecopy/services entry to load the policy file passed as
+    argument, after checking it as a valid extension
+
+    Arguments:
+    - Name of the service the policy applies to (must match a directory under /etc on the target server)
+    - File path containing the policy source, relative to the current loadpath
+}
+function openstack_load_policy = {
+    if ( ARGC != 2 ) {
+        error('openstack_load_policy usage: openstack_load_policy(service, policy_file)');
+    };
+    service = ARGV[0];
+    policy_source = ARGV[1];
+    if ( is_defined(policy_source) ) {
+        if ( !match(policy_source, '.*\.yaml$') ) {
+            error('policy_source must be a file name with the extension .yaml');
+        };
+        policy_file = format('/etc/%s/policy.yaml', service);
+        SELF[escape(policy_file)] = dict(
+            'config', file_contents(policy_source),
+            'owner', 'root',
+            'perms', '0644',
+            'backup', true,
+        );
+    };
+
+    SELF;
+};

defaults/openstack/functions.pan

@@ -14,65 +14,70 @@ prefix '/software/components/metaconfig/services/{/root/admin-openrc.sh}';
 'contents/variables/OS_TENANT_NAME' = 'admin';
 'contents/variables/OS_USERNAME' = OS_USERNAME;
 'contents/variables/OS_PASSWORD' = OS_PASSWORD;
-'contents/variables/OS_AUTH_URL' = OS_KEYSTONE_CONTROLLER_PROTOCOL + '://' + OS_KEYSTONE_CONTROLLER_HOST + ':35357/v3';
+'contents/variables/OS_AUTH_URL' = format(
+    '%s://%s:%s/v3',
+    OS_KEYSTONE_CONTROLLER_PROTOCOL,
+    OS_KEYSTONE_CONTROLLER_HOST,
+    if ( !is_null(OS_KEYSTONE_PUBLIC_ADMIN_PORT) ) OS_KEYSTONE_PUBLIC_ADMIN_PORT else OS_KEYSTONE_CONTROLLER_ADMIN_PORT,
+);
 'contents/variables/OS_IDENTITY_API_VERSION' = 3;
 
 # Create a initialization script
 
 variable CONTENTS_INIT_SCRIPT = {
-  if (OS_NEUTRON_DEFAULT) {
-    file_contents('defaults/openstack/init.sh') + file_contents('defaults/openstack/init-network.sh');
-  } else {
-    file_contents('defaults/openstack/init.sh');
-  };
+    if (OS_NEUTRON_DEFAULT) {
+        file_contents('defaults/openstack/init.sh') + file_contents('defaults/openstack/init-network.sh');
+    } else {
+        file_contents('defaults/openstack/init.sh');
+    };
 };
 include 'components/filecopy/config';
 prefix '/software/components/filecopy/services';
 '{/root/init.sh}' = dict(
-  'perms' ,'755',
-  'config', format(
-    CONTENTS_INIT_SCRIPT,
-    OS_RABBITMQ_USERNAME,
-    OS_RABBITMQ_PASSWORD,
-    OS_REGION_NAME,
-    OS_KEYSTONE_CONTROLLER_HOST,
-    OS_KEYSTONE_CONTROLLER_HOST,
-    OS_GLANCE_CONTROLLER_HOST,
-    OS_NOVA_CONTROLLER_HOST,
-    OS_NEUTRON_CONTROLLER_HOST,
-    OS_HEAT_HOST,
-    OS_HEAT_HOST,
-    OS_CINDER_CONTROLLER_HOST,
-    OS_CINDER_CONTROLLER_HOST,
-    OS_CEILOMETER_CONTROLLER_HOST,
-    OS_USERNAME,
-    OS_PASSWORD,
-    OS_GLANCE_USERNAME,
-    OS_GLANCE_PASSWORD,
-    OS_NOVA_USERNAME,
-    OS_NOVA_PASSWORD,
-    OS_NEUTRON_USERNAME,
-    OS_NEUTRON_PASSWORD,
-    OS_HEAT_USERNAME,
-    OS_HEAT_PASSWORD,
-    OS_HEAT_STACK_DOMAIN,
-    OS_HEAT_DOMAIN_ADMIN_USERNAME,
-    OS_HEAT_DOMAIN_ADMIN_PASSWORD,
-    OS_CINDER_USERNAME,
-    OS_CINDER_PASSWORD,
-    OS_CEILOMETER_DB_HOST,
-    OS_CEILOMETER_DB_USERNAME,
-    OS_CEILOMETER_DB_PASSWORD,
-    OS_CEILOMETER_USERNAME,
-    OS_CEILOMETER_PASSWORD,
-    OS_ADMIN_TOKEN,
-    OS_NEUTRON_DEFAULT_NETWORKS,
-    OS_NEUTRON_DEFAULT_DHCP_POOL['start'],
-    OS_NEUTRON_DEFAULT_DHCP_POOL['end'],
-    OS_NEUTRON_DEFAULT_GATEWAY,
-    OS_NEUTRON_DEFAULT_NAMESERVER,
-    OS_PLACEMENT_USERNAME,
-    OS_PLACEMENT_PASSWORD,
-    OS_PLACEMENT_CONTROLLER_HOST,
-  ),
+    'perms', '755',
+    'config', format(
+        CONTENTS_INIT_SCRIPT,
+        OS_RABBITMQ_USERNAME,
+        OS_RABBITMQ_PASSWORD,
+        OS_REGION_NAME,
+        OS_KEYSTONE_CONTROLLER_HOST,
+        OS_KEYSTONE_CONTROLLER_HOST,
+        OS_GLANCE_CONTROLLER_HOST,
+        OS_NOVA_CONTROLLER_HOST,
+        OS_NEUTRON_CONTROLLER_HOST,
+        OS_HEAT_CONTROLLER_HOST,
+        OS_HEAT_CONTROLLER_HOST,
+        OS_CINDER_CONTROLLER_HOST,
+        OS_CINDER_CONTROLLER_HOST,
+        OS_CEILOMETER_CONTROLLER_HOST,
+        OS_USERNAME,
+        OS_PASSWORD,
+        OS_GLANCE_USERNAME,
+        OS_GLANCE_PASSWORD,
+        OS_NOVA_USERNAME,
+        OS_NOVA_PASSWORD,
+        OS_NEUTRON_USERNAME,
+        OS_NEUTRON_PASSWORD,
+        OS_HEAT_USERNAME,
+        OS_HEAT_PASSWORD,
+        OS_HEAT_STACK_DOMAIN,
+        OS_HEAT_DOMAIN_ADMIN_USERNAME,
+        OS_HEAT_DOMAIN_ADMIN_PASSWORD,
+        OS_CINDER_USERNAME,
+        OS_CINDER_PASSWORD,
+        OS_CEILOMETER_DB_HOST,
+        OS_CEILOMETER_DB_USERNAME,
+        OS_CEILOMETER_DB_PASSWORD,
+        OS_CEILOMETER_USERNAME,
+        OS_CEILOMETER_PASSWORD,
+        OS_ADMIN_TOKEN,
+        OS_NEUTRON_DEFAULT_NETWORKS,
+        OS_NEUTRON_DEFAULT_DHCP_POOL['start'],
+        OS_NEUTRON_DEFAULT_DHCP_POOL['end'],
+        OS_NEUTRON_DEFAULT_GATEWAY,
+        OS_NEUTRON_DEFAULT_NAMESERVER,
+        OS_PLACEMENT_USERNAME,
+        OS_PLACEMENT_PASSWORD,
+        OS_PLACEMENT_CONTROLLER_HOST,
+    ),
 );

defaults/openstack/utils.pan

@@ -2,6 +2,11 @@ unique template features/barbican/config;
 
 variable OS_NODE_SERVICES = append('barbican');
 
+final variable OS_BARBICAN_API_PROCESSES ?= 8;
+final variable OS_BARBICAN_LOG_DIR ?= '/var/log/barbican';
+final variable OS_BARBICAN_GROUP ?= OS_BARBICAN_USERNAME;
+
+
 # Load some useful functions
 include 'defaults/openstack/functions';
 
@@ -11,11 +16,13 @@ include 'types/openstack/barbican';
 # Include general openstack variables
 include 'defaults/openstack/config';
 
+# Include policy file if OS_BARBICAN_POLICY is defined
+include 'components/filecopy/config';
+'/software/components/filecopy/services' = openstack_load_policy('barbican', OS_BARBICAN_POLICY);
+
+
 include 'features/barbican/rpms';
 
-include 'components/systemd/config';
-prefix '/software/components/systemd/unit';
-'httpd/startstop' = true;
 
 ###################################
 # Configuration file for Barbican #
@@ -26,7 +33,6 @@ prefix '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}';
 'module' = 'tiny';
 'convert/joincomma' = true;
 'convert/truefalse' = true;
-'daemons/httpd' = 'restart';
 # Restart memcached to ensure considtency with service configuration changes
 'daemons/memcached' = 'restart';
 bind '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}/contents' = openstack_barbican_config;
@@ -35,37 +41,41 @@ bind '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}/con
 # [DEFAULT] section
 'contents/DEFAULT' = openstack_load_config('features/openstack/base');
 'contents/DEFAULT' = openstack_load_config('features/openstack/logging/' + OS_LOGGING_TYPE);
-'contents/DEFAULT' = openstack_load_ssl_config( OS_BARBICAN_PROTOCOL == 'https' );
 'contents/DEFAULT/my_ip' = PRIMARY_IP;
 'contents/DEFAULT/log_file' = 'barbican-api.log';
-'contents/DEFAULT/host_href' = format('%s://%s:%s', OS_BARBICAN_PROTOCOL, OS_BARBICAN_HOST, OS_BARBICAN_PORT);
+'contents/DEFAULT/host_href' = format(
+    '%s://%s:%s',
+    OS_BARBICAN_PROTOCOL,
+    OS_BARBICAN_PUBLIC_HOST,
+    if ( is_defined(OS_BARBICAN_PUBLIC_PORT) ) OS_BARBICAN_PUBLIC_PORT else OS_BARBICAN_CONTROLLER_PORT,
+);
 'contents/DEFAULT/log_dir' = '/var/log/barbican';
-'contents/DEFAULT/sql_connection' = format('mysql+pymysql://%s:%s@%s/barbican', OS_BARBICAN_DB_USERNAME, OS_BARBICAN_DB_PASSWORD, OS_BARBICAN_DB_HOST);
+'contents/DEFAULT/rpc_response_timeout' = 120;
+'contents/DEFAULT/sql_connection' = format(
+    'mysql+pymysql://%s:%s@%s/barbican',
+    OS_BARBICAN_DB_USERNAME,
+    OS_BARBICAN_DB_PASSWORD,
+    OS_BARBICAN_DB_HOST,
+);
+'contents/DEFAULT/wsgi_default_pool_size' = OS_BARBICAN_WSGI_POOL_SIZE;
 
 # [keystone_authtoken] section
 'contents/keystone_authtoken' = openstack_load_config(OS_AUTH_CLIENT_CONFIG);
 'contents/keystone_authtoken/username' = OS_BARBICAN_USERNAME;
 'contents/keystone_authtoken/password' = OS_BARBICAN_PASSWORD;
 
+#[oslo_messaging_rabbit] section
+'contents/oslo_messaging_rabbit' = openstack_load_config('features/rabbitmq/openstack/client/base');
+'contents/oslo_messaging_rabbit/heartbeat_in_pthread' = false;
+'contents/oslo_messaging_rabbit/kombu_missing_consumer_retry_timeout' = 120;
 
-# ############
-# httpd conf #
-# ############
-
-prefix '/software/components/metaconfig/services/{/etc/httpd/conf.d/wsgi-barbican.conf}';
-'module' = 'openstack/wsgi-barbican';
-'daemons/httpd' = 'restart';
-'contents/listen' = '9311';
+###################
+# Configure uSWGI #
+###################
+include 'features/barbican/uwsgi/config';
 
-'contents/vhosts/0/port' = 9311;
-'contents/vhosts/0/processgroup' = 'barbican-api';
-'contents/vhosts/0/script' = ' /usr/lib/python3.6/site-packages/barbican/api/app.wsgi';
-'contents/vhosts/0/ssl' = openstack_load_ssl_config( OS_BARBICAN_PROTOCOL == 'https' );
 
-# Load TT file to configure Barbican virtual host
-# Run metaconfig in case the TT file was modified and configuration must be regenerated
-include 'components/filecopy/config';
-'/software/components/filecopy/dependencies/post' = openstack_add_component_dependency('metaconfig');
-prefix '/software/components/filecopy/services/{/usr/share/templates/quattor/metaconfig/openstack/wsgi-barbican.tt}';
-'config' = file_contents('features/barbican/metaconfig/wsgi-barbican.tt');
-'perms' = '0644';
+#########################################
+# Configure SSL proxy if SSL is enabled #
+#########################################
+include if ( OS_BARBICAN_PROTOCOL == 'https' ) 'features/barbican/nginx/config';

features/barbican/config.pan

@@ -7,7 +7,7 @@ Listen [% port %]
 <VirtualHost *:[% vhost.port %]>
     WSGIDaemonProcess [% vhost.processgroup %] processes=2 threads=8 user=barbican group=barbican display-name=%{GROUP}
     WSGIProcessGroup [% vhost.processgroup %]
-    WSGIScriptAlias / [% vhost.script %]
+    WSGIScriptAlias / [% vhost.script_path %]/[% vhost.script_name %]
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     <IfVersion >= 2.4>
@@ -23,7 +23,7 @@ Listen [% port %]
     ErrorLog /var/log/httpd//barbican_wsgi_main_error_ssl.log
     CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined
 
-    <Directory /usr/lib/python3.6/site-packages/barbican/api>
+    <Directory [% vhost.script_path %]>
         <IfVersion >= 2.4>
             Require all granted
         </IfVersion>

features/barbican/metaconfig/wsgi-barbican.tt

@@ -0,0 +1,26 @@
+# Add a Nginx VH for handling barbican https requests
+
+unique template features/barbican/nginx/config;
+
+variable OS_BARBICAN_PUBLIC_HOST ?= error('OS_BARBICAN_PUBLIC_HOST must be defined when using SSL with Barbican');
+variable OS_BARBICAN_PUBLIC_PORT ?= error('OS_BARBICAN_PUBLIC_PORT must be defined when using SSL with Barbican');
+
+include 'types/openstack/core';
+
+# Add Nginx and its base configuration
+include 'features/nginx/openstack/config';
+
+# Nginx proxy configuration for Barbican
+include 'components/metaconfig/config';
+prefix '/software/components/metaconfig/services/{/etc/nginx/conf.d/barbican.conf}';
+'module' = 'openstack/nginx-proxy';
+'daemons/nginx' = 'restart';
+# panlint disable=LP006
+bind '/software/components/metaconfig/services/{/etc/nginx/conf.d/barbican.conf}/contents' = openstack_nginx_proxy_config;
+
+'contents/bind_port' = OS_BARBICAN_PUBLIC_PORT;
+'contents/proxy_host' = OS_BARBICAN_CONTROLLER_HOST;
+'contents/proxy_port' = OS_BARBICAN_CONTROLLER_PORT;
+'contents/server_name' = OS_BARBICAN_PUBLIC_HOST;
+'contents/service' = 'barbican';
+'contents/ssl' = openstack_load_ssl_config( true );

features/barbican/nginx/config.pan

@@ -7,7 +7,6 @@ include 'defaults/openstack/functions';
     pkg_repl('python3-barbican');
     pkg_repl('openstack-barbican-api');
     pkg_repl('libibverbs');
-    openstack_add_httpd_packages( OS_BARBICAN_PROTOCOL == 'https' );
 
     SELF;
 };

features/barbican/rpms.pan

@@ -0,0 +1,31 @@
+unique template features/barbican/uwsgi/config;
+
+
+include 'features/uwsgi/openstack/config';
+
+# Load TT file to configure uwsgi application
+# Run metaconfig in case the TT file was modified and configuration must be regenerated
+include 'components/filecopy/config';
+'/software/components/filecopy/dependencies/post' = openstack_add_component_dependency('metaconfig');
+prefix '/software/components/filecopy/services/{/usr/share/templates/quattor/metaconfig/openstack/barbican-api.tt}';
+'config' = file_contents('features/uwsgi/openstack/vassal-paste_deploy.ini.tt');
+'perms' = '0644';
+
+# uwsgi configuration for Barbican API: no explicit restart needed, handled by uwsgi when config file changes
+include 'components/metaconfig/config';
+prefix '/software/components/metaconfig/services/{/etc/uwsgi.d/barbican-api.ini}';
+'module' = 'openstack/barbican-api';
+# Owner/group must match the one used to run the application
+'group' = OS_BARBICAN_GROUP;
+'owner' = OS_BARBICAN_USERNAME;
+# panlint disable=LP006
+bind '/software/components/metaconfig/services/{/etc/uwsgi.d/barbican-api.ini}/contents' = openstack_uwsgi_application_config;
+
+'contents/bind_host' = OS_BARBICAN_CONTROLLER_HOST;
+'contents/bind_port' = OS_BARBICAN_CONTROLLER_PORT;
+'contents/config_files' = list('/etc/barbican/barbican.conf');
+'contents/group' = OS_BARBICAN_GROUP;
+'contents/log_file' = format("%s/api.log", OS_BARBICAN_LOG_DIR);
+'contents/processes' = OS_BARBICAN_API_PROCESSES;
+'contents/user' = OS_BARBICAN_USERNAME;
+'contents/wsgi_file' = '/etc/barbican/barbican-api-paste.ini';