heat_template_version: rocky

description: >
  OpenStack Libvirt Service

parameters:
  DockerNovaLibvirtImage:
    description: image
    type: string
  # we configure libvirt via the nova-compute container due to coupling
  # in the puppet modules
  DockerNovaLibvirtConfigImage:
    description: The container image to use for the nova_libvirt config_volume
    type: string
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  EnableInternalTLS:
    type: boolean
    default: false
  UseTLSTransportForLiveMigration:
    type: boolean
    default: true
    description: If set to true and if EnableInternalTLS is enabled, it will
                 set the libvirt URI's transport to tls and configure the
                 relevant keys for libvirt.
  DockerNovaMigrationSshdPort:
    default: 2022
    description: Port that dockerized nova migration target sshd service
                 binds to.
    type: number
  NovaEnableRbdBackend:
    default: false
    description: Whether to enable or not the Rbd backend for Nova
    type: boolean
  CinderEnableRbdBackend:
    default: false
    description: Whether to enable or not the Rbd backend for Cinder
    type: boolean
  CephClientKey:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
  CephClusterFSID:
    type: string
    description: The Ceph cluster FSID. Must be a UUID.
  CephClientUserName:
    default: openstack
    type: string
  CephClusterName:
    type: string
    default: ceph
    description: The Ceph cluster name.
    constraints:
    - allowed_pattern: "[a-zA-Z0-9]+"
      description: >
        The Ceph cluster name must be at least 1 character and contain only
        letters and numbers.
  UseTLSTransportForVnc:
    type: boolean
    default: true
    description: If set to true and if EnableInternalTLS is enabled, it will
                 enable TLS transaport for libvirt VNC and configure the
                 relevant keys for libvirt.
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSVncCAFile:
    default: '/etc/pki/CA/certs/vnc.crt'
    type: string
    description: Specifies the CA cert to use for VNC TLS.
  LibvirtCACert:
    type: string
    default: ''
    description: This specifies the CA certificate to use for TLS in libvirt.
                 This file will be symlinked to the default CA path in libvirt,
                 which is /etc/pki/CA/cacert.pem. Note that due to limitations
                 GNU TLS, which is the TLS backend for libvirt, the file must
                 be less than 65K (so we can't use the system's CA bundle).
                 This parameter should be used if the default (which comes from
                 the InternalTLSCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.
  LibvirtVncCACert:
    type: string
    default: ''
    description: This specifies the CA certificate to use for VNC TLS.
                 This file will be symlinked to the default CA path,
                 which is /etc/pki/libvirt-vnc/ca-cert.pem.
                 This parameter should be used if the default (which comes from
                 the InternalTLSVncCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.
  VhostuserSocketGroup:
    default: "qemu"
    description: >
      The vhost-user socket directory group name.
      Defaults to 'qemu'. When vhostuser mode is 'dpdkvhostuserclient'
      (which is the default mode), the vhost socket is created by qemu.
    type: string
    tags:
      - role_specific

conditions:

  use_tls_for_live_migration:
    and:
    - equals:
      - {get_param: EnableInternalTLS}
      - true
    - equals:
      - {get_param: UseTLSTransportForLiveMigration}
      - true

  libvirt_specific_ca_unset:
    equals:
      - {get_param: LibvirtCACert}
      - ''

  need_libvirt_secret:
    or:
    - equals:
      - {get_param: NovaEnableRbdBackend}
      - true
    - equals:
      - {get_param: CinderEnableRbdBackend}
      - true

  use_tls_for_vnc:
    and:
    - equals:
      - {get_param: EnableInternalTLS}
      - true
    - equals:
      - {get_param: UseTLSTransportForVnc}
      - true

  libvirt_vnc_specific_ca_unset:
    equals:
      - {get_param: LibvirtVncCACert}
      - ''


resources:
  RoleParametersValue:
    type: OS::Heat::Value
    properties:
      type: json
      value:
        map_replace:
          - map_replace:
            - vhostuser_socket_group: VhostuserSocketGroup
            - values: {get_param: [RoleParameters]}
          - values:
              VhostuserSocketGroup: {get_param: VhostuserSocketGroup}


  ContainersCommon:
    type: ./containers-common.yaml

  MySQLClient:
    type: ../../puppet/services/database/mysql-client.yaml

  NovaLibvirtBase:
    type: ../../puppet/services/nova-libvirt.yaml
    properties:
      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

  NovaLibvirtLogging:
    type: OS::TripleO::Services::Logging::NovaLibvirt

outputs:
  role_data:
    description: Role data for the Libvirt service.
    value:
      service_name: {get_attr: [NovaLibvirtBase, role_data, service_name]}
      config_settings:
        map_merge:
          - get_attr: [NovaLibvirtBase, role_data, config_settings]
          - get_attr: [NovaLibvirtLogging, config_settings]
          - tripleo::profile::base::certmonger_user::libvirt_postsave_cmd: "true" # TODO: restart the libvirt container here

      logging_source: {get_attr: [NovaLibvirtBase, role_data, logging_source]}
      logging_groups: {get_attr: [NovaLibvirtBase, role_data, logging_groups]}
      puppet_config:
        config_volume: nova_libvirt
        puppet_tags: libvirtd_config,nova_config,file,libvirt_tls_password
        step_config:
          list_join:
            - "\n"
            - - {get_attr: [NovaLibvirtBase, role_data, step_config]}
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: DockerNovaLibvirtConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/nova_libvirt.json:
          command:
            if:
              - use_tls_for_live_migration
              - /usr/sbin/libvirtd --listen
              - /usr/sbin/libvirtd
          config_files:
            list_concat:
              -
                - source: "/var/lib/kolla/config_files/src/*"
                  dest: "/"
                  merge: true
                  preserve_properties: true
                - source: "/var/lib/kolla/config_files/src-tls/*"
                  dest: "/"
                  merge: true
                  preserve_properties: true
                  optional: true
                - source: "/var/lib/kolla/config_files/src-ceph/"
                  dest: "/etc/ceph/"
                  merge: true
                  preserve_properties: true
              - if:
                - use_tls_for_vnc
                -
                  - source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
                    dest: /etc/pki/libvirt-vnc/
                    merge: true
                    preserve_properties: true
                - null
          permissions:
            list_concat:
              -
                - path:
                    str_replace:
                      template: /etc/ceph/CLUSTER.client.USER.keyring
                      params:
                        CLUSTER: {get_param: CephClusterName}
                        USER: {get_param: CephClientUserName}
                  owner: nova:nova
                  perm: '0600'
              - if:
                - use_tls_for_vnc
                -
                  - path: /etc/pki/libvirt-vnc/server-key.pem
                    owner: root:qemu
                    perm: '0640'
                - null
        /var/lib/kolla/config_files/nova_virtlogd.json:
          command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
              merge: true
              preserve_properties: true
      docker_config:
        step_3:
          nova_virtlogd:
            start_order: 0
            image: {get_param: DockerNovaLibvirtImage}
            net: host
            pid: host
            privileged: true
            restart: always
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                -
                  - /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
                  - /lib/modules:/lib/modules:ro
                  - /dev:/dev
                  - /run:/run
                  - /sys/fs/cgroup:/sys/fs/cgroup
                  - /var/lib/nova:/var/lib/nova:shared
                  - /var/run/libvirt:/var/run/libvirt
                  - /var/lib/libvirt:/var/lib/libvirt
                  - /etc/libvirt/qemu:/etc/libvirt/qemu:ro
                  - /var/log/libvirt/qemu:/var/log/libvirt/qemu
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
          nova_libvirt:
            start_order: 1
            image: {get_param: DockerNovaLibvirtImage}
            net: host
            pid: host
            privileged: true
            restart: always
            healthcheck:
              test: /openstack/healthcheck
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
                -
                  - /var/lib/kolla/config_files/nova_libvirt.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
                  - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
                  - /lib/modules:/lib/modules:ro
                  - /dev:/dev
                  - /run:/run
                  - /sys/fs/cgroup:/sys/fs/cgroup
                  - /var/lib/nova:/var/lib/nova:shared
                  - /etc/libvirt:/etc/libvirt
                  - /var/run/libvirt:/var/run/libvirt
                  - /var/lib/libvirt:/var/lib/libvirt
                  - /var/log/containers/libvirt:/var/log/libvirt
                  - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
                  - /var/lib/vhost_sockets:/var/lib/vhost_sockets
                  - /sys/fs/selinux:/sys/fs/selinux
                -
                  if:
                    - use_tls_for_live_migration
                    -
                      - str_replace:
                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
                          params:
                            CACERT:
                              if:
                                - libvirt_specific_ca_unset
                                - get_param: InternalTLSCAFile
                                - get_param: LibvirtCACert
                      - /etc/pki/libvirt/servercert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/servercert.pem:ro
                      - /etc/pki/libvirt/private/serverkey.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/private/serverkey.pem:ro
                      - /etc/pki/libvirt/clientcert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/clientcert.pem:ro
                      - /etc/pki/libvirt/private/clientkey.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/private/clientkey.pem:ro
                    - null
                -
                  if:
                    - use_tls_for_vnc
                    -
                      - str_replace:
                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
                          params:
                            CACERT:
                              if:
                                - libvirt_vnc_specific_ca_unset
                                - get_param: InternalTLSVncCAFile
                                - get_param: LibvirtVncCACert
                      - /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
                    - null
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
        step_4:
          if:
            - need_libvirt_secret
            - nova_libvirt_init_secret:
                detach: false
                image: {get_param: DockerNovaLibvirtImage}
                privileged: false
                user: root
                volumes:
                  list_concat:
                    - {get_attr: [ContainersCommon, volumes]}
                    -
                      - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
                      - /etc/libvirt:/etc/libvirt
                      - /var/run/libvirt:/var/run/libvirt
                      - /var/lib/libvirt:/var/lib/libvirt
                command:
                  - /bin/bash
                  - -c
                  - str_replace:
                      template: /usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret 'SECRET_UUID' --base64 'SECRET_KEY'
                      params:
                        SECRET_UUID: {get_param: CephClusterFSID}
                        SECRET_KEY: {get_param: CephClientKey}
            - {}
      host_prep_tasks:
        - name: create libvirt persistent data directories
          file:
            path: "{{ item }}"
            state: directory
          with_items:
            - /etc/libvirt
            - /etc/libvirt/secrets
            - /etc/libvirt/qemu
            - /var/lib/libvirt
            - /var/log/containers/libvirt
        # qemu user on host will be cretaed by libvirt package install, ensure
        # the qemu user created with same uid/gid as like libvirt package.
        # These specific values are required since ovs is running on host.
        # Once ovs with DPDK is containerized, we could modify this uid/gid
        # to match with kolla config values.
        - name: ensure qemu group is present on the host
          group:
            name: qemu
            gid: 107
            state: present
        - name: ensure qemu user is present on the host
          user:
            name: qemu
            uid: 107
            group: qemu
            state: present
            shell: /sbin/nologin
            comment: qemu user
        - name: create directory for vhost-user sockets with qemu ownership
          file:
            path: /var/lib/vhost_sockets
            state: directory
            owner: qemu
            group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
            setype: virt_cache_t
            seuser: system_u
        - name: ensure ceph configurations exist
          file:
            path: /etc/ceph
            state: directory
        - name: check if libvirt is installed
          command: /usr/bin/rpm -q libvirt-daemon
          failed_when: false
          register: libvirt_installed
        - name: make sure libvirt services are disabled
          service:
            name: "{{ item }}"
            state: stopped
            enabled: no
          with_items:
            - libvirtd.service
            - virtlogd.socket
          when: libvirt_installed.rc == 0
      metadata_settings:
        get_attr: [NovaLibvirtBase, role_data, metadata_settings]
      upgrade_tasks:
        - when: step|int == 0
          tags: common
          block:
            - name: Check if nova_libvirt is deployed
              command: systemctl is-enabled --quiet libvirtd
              ignore_errors: True
              register: nova_libvirt_enabled_result
            - name: Set fact nova_libvirt_enabled
              set_fact:
                nova_libvirt_enabled: "{{ nova_libvirt_enabled_result.rc == 0 }}"
            - name: "PreUpgrade step0,validation: Check service libvirtd is running"
              command: systemctl is-active --quiet libvirtd
              tags: validation
              when: nova_libvirt_enabled|bool
        - when: step|int == 2
          block:
            - name: Stop and disable libvirtd service
              when: nova_libvirt_enabled|bool
              service: name=libvirtd state=stopped enabled=no