--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Enable/Disable barbican configurations zun_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}" # Enable/Disable designate configurations zun_designate_enabled: "{{ (groups['designate_all'] is defined) and (groups['designate_all'] | length > 0) }}" # Notification topics for designate. zun_notifications_designate: notifications_designate # Enable/Disable ceilometer configurations zun_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}" ## Verbosity Options debug: False # python venv executable zun_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}" # Set the host which will execute the shade modules # for the service setup. The host must already have # clouds.yaml properly configured. zun_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" zun_service_setup_host_python_interpreter: >- {{ openstack_service_setup_host_python_interpreter | default( (zun_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }} # Set the package install state for distribution packages # Options are 'present' and 'latest' zun_package_state: "{{ package_state | default('latest') }}" zun_git_repo: https://opendev.org/openstack/zun zun_git_install_branch: master zun_kuryr_git_repo: https://opendev.org/openstack/kuryr-libnetwork zun_kuryr_git_install_branch: master # This is only required until kuryr-libnetwork depends upon a version of kuryr-lib # which includes https://review.opendev.org/c/openstack/kuryr/+/764908 zun_kuryr_lib_git_repo: https://opendev.org/openstack/kuryr zun_kuryr_lib_git_install_branch: master zun_upper_constraints_url: >- {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }} zun_git_constraints: - "--constraint {{ zun_upper_constraints_url }}" zun_pip_install_args: "{{ pip_install_options | default('') }}" # Name of the virtual env to deploy into zun_venv_tag: "{{ venv_tag | default('untagged') }}" zun_bin: "/openstack/venvs/zun-{{ zun_venv_tag }}/bin" zun_fatal_deprecations: False ## Zun user information zun_system_user_name: zun zun_system_group_name: zun zun_system_shell: /bin/false zun_system_comment: zun system user zun_system_home_folder: "/var/lib/{{ zun_system_user_name }}" zun_system_slice_name: zun zun_log_dir: "/var/log/zun" zun_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}" ## Kuryr user information zun_kuryr_system_user_name: kuryr zun_kuryr_system_group_name: kuryr zun_kuryr_system_shell: /bin/false zun_kuryr_system_comment: kuryr system user zun_kuryr_system_home_folder: "/var/lib/{{ zun_kuryr_system_user_name }}" zun_kuryr_log_dir: "/var/log/kuryr" ## Docker setup information zun_docker_package_version: "{{ _zun_docker_package_version }}" zun_containerd_package_version: "{{ _zun_containerd_package_version }}" zun_kata_package_version: "3.1.0" zun_kata_package_source: >- https://github.com/kata-containers/kata-containers/releases/download/{{ zun_kata_package_version }}/kata-static-{{ zun_kata_package_version }}-x86_64.tar.xz zun_kata_package_checksum: sha256:452cc850e021539c14359d016aba18ddba128f59aa9ab637738296d9b5cd78a0 zun_kata_enabled: "True" # Set a list of users that are permitted to execute the docker binary. zun_docker_users: - "{{ zun_system_user_name }}" - "{{ zun_kuryr_system_user_name }}" # Set the docker api version. The default is false, which will result in no # option being set in config for api servers. On compute hosts the docker api # version will be used as determined by the client version information. zun_docker_api_version: false # Set the address for Docker to bind to. Used by the wsproxy console forwarder zun_docker_bind_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}" zun_docker_bind_port: 2375 # Should Docker image cache data be periodically cleaned up? zun_docker_prune_images: False # Time period for which to clean up old Docker data. The options are hour, day, # month, or year. (string value) zun_docker_prune_frequency: hour ## Manually specified zun UID/GID # Deployers can specify a UID for the zun user as well as the GID for the # zun group if needed. This is commonly used in environments where shared # storage is used, such as NFS or GlusterFS, and zun UID/GID values must be # in sync between multiple servers. # # WARNING: Changing these values on an existing deployment can lead to # failures, errors, and instability. # # zun_system_user_uid = # zun_system_group_gid = ## Database info zun_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}" zun_db_setup_python_interpreter: >- {{ openstack_db_setup_python_interpreter | default((zun_db_setup_host == 'localhost') | ternary( ansible_playbook_python, ansible_facts['python']['executable'])) }} zun_galera_address: "{{ galera_address | default('127.0.0.1') }}" zun_galera_user: zun zun_galera_database: zun zun_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}" zun_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}" zun_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}" zun_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}" # Toggle whether zun connects via an encrypted connection zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" # The path where to store the database server CA certificate zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" zun_galera_port: "{{ galera_port | default('3306') }}" ## RabbitMQ info ## Configuration for RPC communications zun_rpc_thread_pool_size: 64 zun_rpc_conn_pool_size: 30 zun_rpc_response_timeout: 60 ## Oslo Messaging info # RPC zun_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}" zun_oslomsg_rpc_setup_host: "{{ (zun_oslomsg_rpc_host_group in groups) | ternary(groups[zun_oslomsg_rpc_host_group][0], 'localhost') }}" zun_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}" zun_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}" zun_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}" zun_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}" zun_oslomsg_rpc_userid: zun zun_oslomsg_rpc_vhost: /zun zun_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}" zun_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}" # Notify zun_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}" zun_oslomsg_notify_setup_host: "{{ (zun_oslomsg_notify_host_group in groups) | ternary(groups[zun_oslomsg_notify_host_group][0], 'localhost') }}" zun_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}" zun_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}" zun_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}" zun_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}" zun_oslomsg_notify_userid: "{{ zun_oslomsg_rpc_userid }}" zun_oslomsg_notify_password: "{{ zun_oslomsg_rpc_password }}" zun_oslomsg_notify_vhost: "{{ zun_oslomsg_rpc_vhost }}" zun_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}" zun_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}" # If this is not set, then the playbook will try to guess it. # zun_virt_type: kvm ## Zun Auth zun_service_region: "{{ service_region | default('RegionOne') }}" zun_service_project_name: "service" zun_service_project_domain_id: default zun_service_user_domain_id: default zun_service_user_name: "zun" zun_service_role_names: - admin - service zun_service_token_roles: - service zun_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}" ## Zun Auth for kuryr zun_kuryr_service_username: kuryr ## Keystone authentication middleware zun_keystone_auth_plugin: password ## Zun WebSocket Proxy zun_wsproxy_proto: "{{ (openstack_service_publicuri_proto | default('http') == 'https') | ternary('wss', 'ws') }}" zun_wsproxy_port: 6784 zun_wsproxy_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}" zun_wsproxy_base_uri: "{{ zun_wsproxy_proto }}://{{ external_lb_vip_address }}:{{ zun_wsproxy_port }}" ## Zun v1 zun_service_name: zun zun_service_type: container zun_service_proto: http zun_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(zun_service_proto) }}" zun_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(zun_service_proto) }}" zun_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(zun_service_proto) }}" zun_service_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" zun_service_port: 9517 zun_kuryr_service_address: 127.0.0.1 zun_kuryr_service_port: 23750 zun_service_description: "Zun Compute Service" zun_service_publicuri: "{{ zun_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ zun_service_port }}" zun_service_publicurl: "{{ zun_service_publicuri }}" zun_service_adminuri: "{{ zun_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}" zun_service_adminurl: "{{ zun_service_adminuri }}" zun_service_internaluri: "{{ zun_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}" zun_service_internalurl: "{{ zun_service_internaluri }}" zun_service_endpoint_type: internalURL # If you want to regenerate the zun users SSH keys, on each run, set this var to True # Otherwise keys will be generated on the first run and not regenerated each run. zun_recreate_keys: False ## General Zun configuration # Select between the 'runc' or 'kata' runtime zun_container_runtime: runc # If ``zun_osapi_compute_workers`` is unset the system will use half the number of available VCPUS to # compute the number of api workers to use. # zun_osapi_compute_workers: 16 # If ``zun_conductor_workers`` is unset the system will use half the number of available VCPUS to # compute the number of api workers to use. # zun_conductor_workers: 16 # If ``zun_metadata_workers`` is unset the system will use half the number of available VCPUS to # compute the number of api workers to use. # zun_metadata_workers: 16 ## Cap the maximun number of threads / workers when a user value is unspecified. zun_api_threads_max: 16 zun_api_threads: >- {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, zun_api_threads_max] | min }} zun_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}" zun_scheduler_default_filters: >- AvailabilityZoneFilter, ComputeFilter zun_scheduler_available_filters: zun.scheduler.filters.all_filters zun_scheduler_driver: filter_scheduler ## uWSGI setup zun_wsgi_threads: 1 zun_wsgi_processes_max: 16 zun_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, zun_wsgi_processes_max] | min }}" ## Service Name-Group Mapping zun_services: kuryr-libnetwork: group: zun_compute service_name: kuryr-libnetwork condition: "{{ inventory_hostname in groups['zun_compute'] }}" init_config_overrides: "{{ zun_kuryr_init_defaults | combine(zun_kuryr_init_overrides, recursive=True) }}" start_order: 3 wsgi_app: True wsgi: kuryr_libnetwork.server:app uwsgi_bind_address: "{{ zun_kuryr_service_address }}" uwsgi_port: "{{ zun_kuryr_service_port }}" uwsgi_overrides: "{{ zun_kuryr_uwsgi_conf_overrides }}" uwsgi_uid: "{{ zun_kuryr_system_user_name }}" uwsgi_guid: "{{ zun_kuryr_system_group_name }}" zun-api: group: zun_api service_name: zun-api init_config_overrides: "{{ zun_api_init_overrides }}" start_order: 1 wsgi_app: True wsgi_path: "{{ zun_bin }}/zun-api-wsgi" uwsgi_bind_address: "{{ zun_service_address }}" uwsgi_port: "{{ zun_service_port }}" uwsgi_overrides: "{{ zun_uwsgi_conf_overrides }}" uwsgi_uid: "{{ zun_system_user_name }}" uwsgi_guid: "{{ zun_system_group_name }}" uwsgi_tls: "{{ zun_backend_ssl | ternary(zun_uwsgi_tls, {}) }}" zun-compute: group: zun_compute service_name: zun-compute init_config_overrides: "{{ zun_compute_init_overrides }}" start_order: 5 execstarts: "{{ zun_bin }}/zun-compute --config-dir /etc/zun" zun-wsproxy: group: zun_api service_name: zun-wsproxy init_config_overrides: "{{ zun_wsproxy_init_overrides }}" start_order: 2 execstarts: "{{ zun_bin }}/zun-wsproxy --config-dir /etc/zun" zun-docker-cleanup: group: zun_compute service_name: zun-docker-cleanup init_config_overrides: "{{ zun_docker_cleanup_init_overrides }}" start_order: 6 execstarts: "{{ zun_bin }}/zun-docker-cleanup" timer: state: started options: OnBootSec: 30min OnCalendar: "{{ (zun_docker_prune_frequency == 'day') | ternary('daily', zun_docker_prune_frequency + 'ly') }}" Persistent: true docker: group: zun_compute service_name: docker init_config_overrides: {} start_order: 4 systemd_overrides_only: True systemd_overrides: "{{ zun_docker_init_defaults | combine(zun_docker_init_overrides, recursive=True) }}" # Common pip packages zun_pip_packages: - "git+{{ zun_git_repo }}@{{ zun_git_install_branch }}#egg=zun" - "git+{{ zun_kuryr_lib_git_repo }}@{{ zun_kuryr_lib_git_install_branch }}#egg=kuryr-lib" - "git+{{ zun_kuryr_git_repo }}@{{ zun_kuryr_git_install_branch }}#egg=kuryr-libnetwork" - oslo_rootwrap - osprofiler - python-memcached - pymemcache - python-zunclient - pymysql - systemd-python ## (Qdrouterd) integration # TODO(ansmith): Change structure when more backends will be supported zun_oslomsg_amqp1_enabled: "{{ zun_oslomsg_rpc_transport == 'amqp' }}" zun_memcached_servers: "{{ memcached_servers }}" zun_optional_oslomsg_amqp1_pip_packages: - oslo.messaging[amqp1] ## Default service options used within all systemd unit files. zun_service_defaults: {} ## Tunable overrides for services zun_zun_conf_overrides: {} zun_rootwrap_conf_overrides: {} zun_kuryr_conf_overrides: {} zun_docker_config_overrides: {} zun_kuryr_config_overrides: {} zun_uwsgi_conf_overrides: {} zun_kuryr_uwsgi_conf_overrides: uwsgi: pyargv: --config-file /etc/kuryr/kuryr.conf zun_uwsgi_tls: crt: "{{ zun_ssl_cert }}" key: "{{ zun_ssl_key }}" ## Default zun+kuryr options used within the systemd unit file. zun_kuryr_init_defaults: Unit: Before: docker.service After: network-online.target Wants: network-online.target Service: CapabilityBoundingSet: CAP_NET_ADMIN AmbientCapabilities: CAP_NET_ADMIN Group: "{{ zun_kuryr_system_group_name }}" User: "{{ zun_kuryr_system_user_name }}" # Key-value storage for docker swarm standalone mode. # Possible options: zk, etcd and consul zun_docker_kv_storage: etcd zun_docker_kv_port: 2379 zun_docker_kv_group: zun_api ## Default zun+docker options used within the systemd unit file. zun_docker_init_defaults: Service: ExecStart: - "" - "/usr/bin/dockerd --group {{ zun_system_group_name }} -H tcp://{{ zun_docker_bind_host }}:{{ zun_docker_bind_port }} -H unix:///var/run/docker.sock --cluster-store {{ zun_docker_kv_storage }}://{% for item in groups[zun_docker_kv_group] %}{{ hostvars[item]['management_address'] }}:{{ zun_docker_kv_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if zun_kata_enabled %} --add-runtime kata=/opt/kata/bin/kata-runtime{% endif %}" # noqa: yaml[line-length] ## Tunable overrides for service unit files. zun_api_paste_ini_overrides: {} zun_api_init_overrides: {} zun_wsproxy_init_overrides: {} zun_compute_init_overrides: {} zun_kuryr_init_overrides: {} zun_docker_init_overrides: {} zun_docker_cleanup_init_overrides: {} zun_policy_overrides: {} ### ### Backend TLS ### # Define if communication between haproxy and service backends should be # encrypted with TLS. zun_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" # Storage location for SSL certificate authority zun_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" # Delegated host for operating the certificate authority zun_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" # zun server certificate zun_pki_keys_path: "{{ zun_pki_dir ~ '/certs/private/' }}" zun_pki_certs_path: "{{ zun_pki_dir ~ '/certs/certs/' }}" zun_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" zun_pki_regen_cert: '' zun_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" zun_pki_certificates: - name: "zun_{{ ansible_facts['hostname'] }}" provider: ownca cn: "{{ ansible_facts['hostname'] }}" san: "{{ zun_pki_san }}" signed_by: "{{ zun_pki_intermediate_cert_name }}" # zun destination files for SSL certificates zun_ssl_cert: /etc/zun/zun.pem zun_ssl_key: /etc/zun/zun.key # Installation details for SSL certificates zun_pki_install_certificates: - src: "{{ zun_user_ssl_cert | default(zun_pki_certs_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" dest: "{{ zun_ssl_cert }}" owner: "{{ zun_system_user_name }}" group: "{{ zun_system_user_name }}" mode: "0644" - src: "{{ zun_user_ssl_key | default(zun_pki_keys_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" dest: "{{ zun_ssl_key }}" owner: "{{ zun_system_user_name }}" group: "{{ zun_system_user_name }}" mode: "0600" # Define user-provided SSL certificates # zun_user_ssl_cert: # zun_user_ssl_key: