3 # Setup and configure the Nova API endpoint
8 # (required) The password to set for the nova admin user in keystone
11 # (optional) Whether the nova api service will be run
15 # (optional) Whether to start/stop the service
19 # (optional) Whether the nova api package will be installed
20 # Defaults to 'present'
23 # (DEPRECATED) Does nothing and will be removed in Icehouse
27 # (optional) The IP of the server running keystone
28 # Defaults to '127.0.0.1'
31 # (optional) The port to use when authenticating against Keystone
35 # (optional) The protocol to use when authenticating against Keystone
39 # (optional) The uri of a Keystone service to authenticate against
42 # [*auth_admin_prefix*]
43 # (optional) Prefix to prepend at the beginning of the keystone path
47 # (optional) API version of the admin Identity API endpoint
48 # for example, use 'v3.0' for the keystone version 3.0 api
51 # [*admin_tenant_name*]
52 # (optional) The name of the tenant to create in keystone for use by the nova services
53 # Defaults to 'services'
56 # (optional) The name of the user to create in keystone for use by the nova services
59 # [*api_bind_address*]
60 # (optional) IP address for nova-api server to listen
61 # Defaults to '0.0.0.0'
64 # (optional) IP address for metadata server to listen
65 # Defaults to '0.0.0.0'
68 # (optional) A comma separated list of apis to enable
69 # Defaults to 'ec2,osapi_compute,metadata'
71 # [*keystone_ec2_url*]
72 # (optional) The keystone url where nova should send requests for ec2tokens
75 # [*volume_api_class*]
76 # (optional) The name of the class that nova will use to access volumes. Cinder is the only option.
77 # Defaults to 'nova.volume.cinder.API'
79 # [*use_forwarded_for*]
80 # (optional) Treat X-Forwarded-For as the canonical remote address. Only
81 # enable this if you have a sanitizing proxy.
84 # [*osapi_compute_workers*]
85 # (optional) Number of workers for OpenStack API service
86 # Defaults to $::processorcount
89 # (optional) Number of workers for EC2 service
90 # Defaults to $::processorcount
92 # [*metadata_workers*]
93 # (optional) Number of workers for metadata service
94 # Defaults to $::processorcount
96 # [*conductor_workers*]
97 # (optional) DEPRECATED. Use workers parameter of nova::conductor
102 # (optional) Run nova-manage db sync on api nodes after installing the package.
105 # [*neutron_metadata_proxy_shared_secret*]
106 # (optional) Shared secret to validate proxies Neutron metadata requests
110 # (optional) Pci passthrough for controller:
113 # "[ {'vendor_id':'1234', 'product_id':'5678', 'name':'default'}, {...} ]"
116 # (optional) A string that is a semicolon-separated list of 5-tuples.
117 # See http://docs.openstack.org/trunk/config-reference/content/configuring-compute-API.html
118 # Example: '(POST, "*", .*, 10, MINUTE);(POST, "*/servers", ^/servers, 50, DAY);(PUT, "*", .*, 10, MINUTE)'
121 # [*ratelimits_factory*]
122 # (optional) The rate limiting factory to use
123 # Defaults to 'nova.api.openstack.compute.limits:RateLimitingMiddleware.factory'
126 # (optional) Enable or not Nova API v3
130 # (optional) Whether to validate the service is working after any service refreshes
133 # [*validation_options*]
134 # (optional) Service validation options
135 # Should be a hash of options defined in openstacklib::service_validation
136 # If empty, defaults values are taken from openstacklib function.
137 # Default command list nova flavors.
138 # Require validate set at True.
140 # nova::api::validation_options:
142 # command: check_nova.py
143 # path: /usr/bin:/bin:/usr/sbin:/sbin
152 $manage_service = true,
153 $ensure_package = 'present',
154 $auth_strategy = undef,
155 $auth_host = '127.0.0.1',
157 $auth_protocol = 'http',
159 $auth_admin_prefix = false,
160 $auth_version = false,
161 $admin_tenant_name = 'services',
162 $admin_user = 'nova',
163 $api_bind_address = '0.0.0.0',
164 $metadata_listen = '0.0.0.0',
165 $enabled_apis = 'ec2,osapi_compute,metadata',
166 $keystone_ec2_url = false,
167 $volume_api_class = 'nova.volume.cinder.API',
168 $use_forwarded_for = false,
169 $osapi_compute_workers = $::processorcount,
170 $ec2_workers = $::processorcount,
171 $metadata_workers = $::processorcount,
173 $neutron_metadata_proxy_shared_secret = undef,
177 $ratelimits_factory =
178 'nova.api.openstack.compute.limits:RateLimitingMiddleware.factory',
180 $validation_options = {},
181 # DEPRECATED PARAMETER
183 $conductor_workers = undef,
189 require keystone::python
190 include cinder::client
192 Package<| title == 'nova-api' |> -> Nova_paste_api_ini<| |>
194 Package<| title == 'nova-common' |> -> Class['nova::api']
195 Package<| title == 'nova-common' |> -> Class['nova::policy']
197 Nova_paste_api_ini<| |> ~> Exec['post-nova_config']
199 Nova_paste_api_ini<| |> ~> Service['nova-api']
200 Class['nova::policy'] ~> Service['nova-api']
203 warning('The auth_strategy parameter is deprecated and has no effect.')
207 warning('The workers parameter is deprecated, use osapi_compute_workers instead.')
208 $osapi_compute_workers_real = $workers
210 $osapi_compute_workers_real = $osapi_compute_workers
213 if $conductor_workers {
214 warning('The conductor_workers parameter is deprecated and has no effect. Use workers parameter of nova::conductor class instead.')
217 nova::generic_service { 'api':
219 manage_service => $manage_service,
220 ensure_package => $ensure_package,
221 package_name => $::nova::params::api_package_name,
222 service_name => $::nova::params::api_service_name,
223 subscribe => Class['cinder::client'],
227 'DEFAULT/enabled_apis': value => $enabled_apis;
228 'DEFAULT/volume_api_class': value => $volume_api_class;
229 'DEFAULT/ec2_listen': value => $api_bind_address;
230 'DEFAULT/osapi_compute_listen': value => $api_bind_address;
231 'DEFAULT/metadata_listen': value => $metadata_listen;
232 'DEFAULT/osapi_volume_listen': value => $api_bind_address;
233 'DEFAULT/osapi_compute_workers': value => $osapi_compute_workers_real;
234 'DEFAULT/ec2_workers': value => $ec2_workers;
235 'DEFAULT/metadata_workers': value => $metadata_workers;
236 'DEFAULT/use_forwarded_for': value => $use_forwarded_for;
237 'osapi_v3/enabled': value => $osapi_v3;
240 if ($neutron_metadata_proxy_shared_secret){
242 'neutron/service_metadata_proxy': value => true;
243 'neutron/metadata_proxy_shared_secret':
244 value => $neutron_metadata_proxy_shared_secret;
248 'neutron/service_metadata_proxy': value => false;
249 'neutron/metadata_proxy_shared_secret': ensure => absent;
254 $auth_uri_real = $auth_uri
256 $auth_uri_real = "${auth_protocol}://${auth_host}:5000/"
258 nova_config { 'keystone_authtoken/auth_uri': value => $auth_uri_real; }
261 nova_config { 'keystone_authtoken/auth_version': value => $auth_version; }
263 nova_config { 'keystone_authtoken/auth_version': ensure => absent; }
267 'keystone_authtoken/auth_host': value => $auth_host;
268 'keystone_authtoken/auth_port': value => $auth_port;
269 'keystone_authtoken/auth_protocol': value => $auth_protocol;
270 'keystone_authtoken/admin_tenant_name': value => $admin_tenant_name;
271 'keystone_authtoken/admin_user': value => $admin_user;
272 'keystone_authtoken/admin_password': value => $admin_password, secret => true;
275 if $auth_admin_prefix {
276 validate_re($auth_admin_prefix, '^(/.+[^/])?$')
278 'keystone_authtoken/auth_admin_prefix': value => $auth_admin_prefix;
282 'keystone_authtoken/auth_admin_prefix': ensure => absent;
286 if $keystone_ec2_url {
288 'DEFAULT/keystone_ec2_url': value => $keystone_ec2_url;
292 'DEFAULT/keystone_ec2_url': ensure => absent;
296 if 'occiapi' in $enabled_apis {
297 if !defined(Package['python-pip']) {
298 package { 'python-pip':
302 if !defined(Package['pyssf']) {
306 require => Package['python-pip']
309 package { 'openstackocci':
312 require => Package['python-pip'],
316 if ($ratelimits != undef) {
318 'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;
319 'filter:ratelimit/limits': value => $ratelimits;
323 # Added arg and if statement prevents this from being run
324 # where db is not active i.e. the compute
326 Package<| title == 'nova-api' |> -> Exec['nova-db-sync']
327 exec { 'nova-db-sync':
328 command => '/usr/bin/nova-manage db sync',
330 subscribe => Exec['post-nova_config'],
334 # Remove auth configuration from api-paste.ini
336 'filter:authtoken/auth_uri': ensure => absent;
337 'filter:authtoken/auth_host': ensure => absent;
338 'filter:authtoken/auth_port': ensure => absent;
339 'filter:authtoken/auth_protocol': ensure => absent;
340 'filter:authtoken/admin_tenant_name': ensure => absent;
341 'filter:authtoken/admin_user': ensure => absent;
342 'filter:authtoken/admin_password': ensure => absent;
343 'filter:authtoken/auth_admin_prefix': ensure => absent;
348 'DEFAULT/pci_alias': value => check_array_of_hash($pci_alias);
355 'command' => "nova --os-auth-url ${auth_uri_real} --os-tenant-name ${admin_tenant_name} --os-username ${admin_user} --os-password ${admin_password} flavor-list",
358 $validation_options_hash = merge ($defaults, $validation_options)
359 create_resources('openstacklib::service_validation', $validation_options_hash, {'subscribe' => 'Service[nova-api]'})