Kayobe currently supports definition of various different networks - public, internal, tunnel, etc. These typically map to a VLAN or flat network, with an IP subnet. When a cloud exceeds the size of a single VLAN/subnet, this approach no longer works. One way to resolve this is to have multiple subnets that map to a single logical network, and provide routing between them. This is a similar concept to neutron's routed networks, but for the control plane. This change provides documentation for the currently tested parts of this feature. Change-Id: Ic06c6d4fff0fa568eb9ed3a9c30ce21c7699d965 Story: 2008180 Task: 40938
28 KiB
Kolla Ansible Configuration
Kayobe relies heavily on Kolla Ansible for deployment of the OpenStack control plane. Kolla Ansible is installed locally on the Ansible control host (the host from which Kayobe commands are executed), and Kolla Ansible commands are executed from there.
Kolla Ansible configuration is stored in
${KAYOBE_CONFIG_PATH}/kolla.yml
.
Configuration of Ansible
Ansible configuration is described in detail in the Ansible
documentation. In addition to the standard locations, Kayobe
supports using an Ansible configuration file located in the Kayobe
configuration at ${KAYOBE_CONFIG_PATH}/kolla/ansible.cfg
or
${KAYOBE_CONFIG_PATH}/ansible.cfg
. Note that if the
ANSIBLE_CONFIG
environment variable is specified it takes
precedence over this file.
Kolla Ansible Installation
Prior to deploying containers, Kolla Ansible and its dependencies will be installed on the Ansible control host. The following variables affect the installation of Kolla Ansible:
kolla_ansible_ctl_install_type
-
Type of Kolla Ansible control installation. One of
binary
(PyPI) orsource
(git). Default issource
. kolla_ansible_source_url
-
URL of Kolla Ansible source code repository if type is
source
. Default is https://opendev.org/openstack/kolla-ansible. kolla_ansible_source_version
-
Version (branch, tag, etc.) of Kolla Ansible source code repository if type is
source
. Default is the same as the Kayobe upstream branch. kolla_ansible_venv_extra_requirements
-
Extra requirements to install inside the Kolla Ansible virtualenv. Default is an empty list.
kolla_upper_constraints_file
-
Upper constraints file for installation of Kolla. Default is
{{ pip_upper_constraints_file }}
, which has a default ofhttps://releases.openstack.org/constraints/upper/{{ openstack_branch }}
.
Example: custom git repository
To install Kolla Ansible from a custom git repository:
kolla_ansible_source_url: https://git.example.com/kolla-ansible
kolla_ansible_source_version: downstream
Virtual Environment Extra Requirements
Extra Python packages can be installed inside the Kolla Ansible virtualenv, such as when required by Ansible plugins.
For example, to use the hashi_vault
Ansible lookup plugin, its hvac
dependency can be
installed using:
---
# Extra requirements to install inside the Kolla Ansible virtualenv.
kolla_ansible_venv_extra_requirements:
- "hvac"
Local environment
The following variables affect the local environment on the Ansible
control host. They reference environment variables, and should be
configured using those rather than modifying the Ansible variable
directly. The file kayobe-env
in the kayobe-config git
repository sets some sensible defaults for these variables, based on
the recommended environment directory structure.
kolla_ansible_source_path
-
Path to directory for Kolla Ansible source code checkout. Default is
$KOLLA_SOURCE_PATH
, or$PWD/src/kolla-ansible
. kolla_ansible_venv
-
Path to virtualenv in which to install Kolla Ansible on the Ansible control host. Default is
$KOLLA_VENV_PATH
or$PWD/venvs/kolla-ansible
. kolla_config_path
-
Path to Kolla Ansible configuration directory. Default is
$KOLLA_CONFIG_PATH
or/etc/kolla
.
Global Configuration
The following variables are global, affecting all containers. They
are used to generate the Kolla Ansible configuration file,
globals.yml
, and also affect Kolla image build configuration <configuration-kolla-global>
.
Kolla Images
The following variables affect which Kolla images are used, and how they are accessed.
kolla_base_distro
-
Kolla base container image distribution. Default is
centos
. kolla_install_type
-
Kolla container image type:
binary
orsource
. Default isbinary
. kolla_docker_registry
-
URL of docker registry to use for Kolla images. Default is not set, in which case Dockerhub will be used.
kolla_docker_namespace
-
Docker namespace to use for Kolla images. Default is
kolla
. kolla_docker_registry_username
-
Username to use to access a docker registry. Default is not set, in which case the registry will be used without authentication.
kolla_docker_registry_password
-
Password to use to access a docker registry. Default is not set, in which case the registry will be used without authentication.
kolla_openstack_release
-
Kolla OpenStack release version. This should be a Docker image tag. Default is
{{ openstack_release }}
, which takes the OpenStack release name (e.g.rocky
) on stable branches and tagged releases, ormaster
on the Kayobemaster
branch.
For example, to deploy Kolla centos
binary
images with a namespace of example
, and a private Docker
registry at registry.example.com:4000
, tagged with
7.0.0.1
:
kolla_base_distro: centos
kolla_install_type: binary
kolla_docker_namespace: example
kolla_docker_registry: registry.example.com:4000
kolla_openstack_release: 7.0.0.1
The deployed ironic-api
image would be referenced as
follows:
registry.example.com:4000/example/centos-binary-ironic-api:7.0.0.1
Ansible
The following variables affect how Ansible accesses the remote hosts.
kolla_ansible_user
-
User account to use for Kolla SSH access. Default is
kolla
. kolla_ansible_group
-
Primary group of Kolla SSH user. Default is
kolla
. kolla_ansible_become
-
Whether to use privilege escalation for all operations performed via Kolla Ansible. Default is
false
since the 8.0.0 Ussuri release. kolla_ansible_target_venv
-
Path to a virtual environment on remote hosts to use for Ansible module execution. Default is
{{ virtualenv_path }}/kolla-ansible
. May be set toNone
to use the system Python interpreter.
Context: Remote Execution Environment
By default, Ansible executes modules remotely using the system python
interpreter, even if the Ansible control process is executed from within
a virtual environment (unless the local
connection plugin
is used). This is not ideal if there are python dependencies that must
be installed with isolation from the system python packages. Ansible can
be configured to use a virtualenv by setting the host variable
ansible_python_interpreter
to a path to a python
interpreter in an existing virtual environment.
The variable kolla_ansible_target_venv
configures the
use of a virtual environment on the remote hosts. The default
configuration should work in most cases.
User account creation
Since the Ussuri release, Kayobe creates a user account for Kolla
Ansible rather than this being done during Kolla Ansible's
bootstrap-servers
command. This workflow is more compatible
with Ansible
fact caching, but does mean that Kolla Ansible's
create_kolla_user
variable cannot be used to disable
creation of the user account. Instead, set
kolla_ansible_create_user
to false
.
kolla_ansible_create_user
-
Whether to create a user account, configure passwordless sudo and authorise an SSH key for Kolla Ansible. Default is
true
.
OpenStack Logging
The following variable affects OpenStack debug logging.
kolla_openstack_logging_debug
-
Whether debug logging is enabled for OpenStack services. Default is
false
.
Example: enabling debug logging
In certain situations it may be necessary to enable debug logging for all OpenStack services. This is not usually advisable in production.
---
kolla_openstack_logging_debug: true
API Addresses
Note
These variables should be used over the deprecated
vip_address
and fqdn
network attributes
<configuration-network-global>
The following variables affect the addresses used for the external and internal API.
kolla_internal_vip_address
-
Virtual IP address of OpenStack internal API. Default is the
vip_address
attribute of the internal network. kolla_internal_fqdn
-
Fully Qualified Domain Name (FQDN) of OpenStack internal API. Default is the
fqdn
attribute of the internal network if set, otherwisekolla_internal_vip_address
. kolla_external_vip_address
-
Virtual IP address of OpenStack external API. Default is the
vip_address
attribute of the external network. kolla_external_fqdn
-
Fully Qualified Domain Name (FQDN) of OpenStack external API. Default is the
fqdn
attribute of the external network if set, otherwisekolla_external_vip_address
.
TLS Encryption of APIs
The following variables affect TLS encryption of the public API.
kolla_enable_tls_external
-
Whether TLS is enabled for the public API endpoints. Default is
no
. kolla_external_tls_cert
-
A TLS certificate bundle to use for the public API endpoints, if
kolla_enable_tls_external
istrue
. Note that this should be formatted as a literal style block scalar. kolla_external_fqdn_cacert
-
Path to a CA certificate file to use for the
OS_CACERT
environment variable in openrc files when TLS is enabled, instead of Kolla Ansible's default.
The following variables affect TLS encryption of the internal API. Currently this requires all Kolla images to be built with the API's root CA trusted.
kolla_enable_tls_internal
-
Whether TLS is enabled for the internal API endpoints. Default is
no
. kolla_internal_tls_cert
-
A TLS certificate bundle to use for the internal API endpoints, if
kolla_enable_tls_internal
istrue
. Note that this should be formatted as a literal style block scalar. kolla_internal_fqdn_cacert
-
Path to a CA certificate file to use for the
OS_CACERT
environment variable in openrc files when TLS is enabled, instead of Kolla Ansible's default.
Example: enabling TLS for the public API
It is highly recommended to use TLS encryption to secure the public API. Here is an example:
---
kolla_enable_tls_external: yes
kolla_external_tls_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
Example: enabling TLS for the internal API
It is highly recommended to use TLS encryption to secure the internal API. Here is an example:
---
kolla_enable_tls_internal: yes
kolla_internal_tls_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
Other certificates
In general, Kolla Ansible expects certificates to be in a directory
configured via kolla_certificates_dir
, which defaults to a
directory named certificates
in the same directory as
globals.yml
. Kayobe follows this pattern, and will pass
files and directories added to
${KAYOBE_CONFIG_PATH}/kolla/certificates/
through to Kolla
Ansible. This can be useful when enabling backend API TLS encryption, or
providing custom CA certificates to be added to the trust store in
containers. It is also possible to use this path to provide certificate
bundles for the external or internal APIs, as an alternative to
kolla_external_tls_cert
and
kolla_internal_tls_cert
.
Note that Ansible will automatically decrypt these files if they are encrypted via Ansible Vault and it has access to a Vault password.
Example: adding a trusted custom CA certificate to containers
In an environment with a private CA, it may be necessary to add the root CA certificate to the trust store of containers.
kolla/
certificates/
ca/
private-ca.crt
These files should be PEM-formatted, and have a .crt
extension.
Example: adding certificates for backend TLS
Kolla Ansible backend TLS can be used to provide end-to-end encryption of API traffic.
kolla/
certificates/
backend-cert.pem
backend-key.pem
See the Kolla Ansible documentation
<admin/advanced-configuration.html#tls-configuration>
for
how to provide service and/or host-specific certificates and keys.
Custom Global Variables
Kolla Ansible uses a single file for global variables,
globals.yml
. Kayobe provides configuration variables for
all required variables and many of the most commonly used the variables
in this file. Some of these are in
$KAYOBE_CONFIG_PATH/kolla.yml
, and others are determined
from other sources such as the networking configuration in
$KAYOBE_CONFIG_PATH/networks.yml
.
Additional global configuration may be provided by creating
$KAYOBE_CONFIG_PATH/kolla/globals.yml
. Variables in this
file will be templated using Jinja2, and merged with the Kayobe
globals.yml
configuration.
Example: use a specific tag for each image
For more fine-grained control over images, Kolla Ansible allows a tag
to be defined for each image. For example, for
nova-api
:
---
# Use a custom tag for the nova-api container image.
nova_api_tag: v1.2.3
Example: debug logging per-service
Enabling debug logging globally can lead to a lot of additional logs being generated. Often we are only interested in a particular service. For example, to enable debug logging for Nova services:
---
nova_logging_debug: true
Host variables
Kayobe generates a host_vars file for each host in the Kolla Ansible inventory. These contain network interfaces and other host-specific things.
kolla_seed_inventory_pass_through_host_vars
-
List of names of host variables to pass through from kayobe hosts to the Kolla Ansible seed host, if set. See also
kolla_seed_inventory_pass_through_host_vars_map
. The default is:kolla_seed_inventory_pass_through_host_vars: - "ansible_host" - "ansible_port" - "ansible_ssh_private_key_file" - "kolla_api_interface" - "kolla_bifrost_network_interface"
kolla_seed_inventory_pass_through_host_vars_map
-
Dict mapping names of variables in
kolla_seed_inventory_pass_through_host_vars
to the variable to use in Kolla Ansible. If a variable name is not in this mapping the kayobe name is used. The default is:kolla_seed_inventory_pass_through_host_vars_map: kolla_api_interface: "api_interface" kolla_bifrost_network_interface: "bifrost_network_interface"
kolla_overcloud_inventory_pass_through_host_vars
-
List of names of host variables to pass through from Kayobe hosts to Kolla Ansible hosts, if set. See also
kolla_overcloud_inventory_pass_through_host_vars_map
. The default is:kolla_overcloud_inventory_pass_through_host_vars: - "ansible_host" - "ansible_port" - "ansible_ssh_private_key_file" - "kolla_network_interface" - "kolla_api_interface" - "kolla_storage_interface" - "kolla_cluster_interface" - "kolla_swift_storage_interface" - "kolla_swift_replication_interface" - "kolla_provision_interface" - "kolla_inspector_dnsmasq_interface" - "kolla_dns_interface" - "kolla_tunnel_interface" - "kolla_external_vip_interface" - "kolla_neutron_external_interfaces" - "kolla_neutron_bridge_names"
kolla_overcloud_inventory_pass_through_host_vars_map
-
Dict mapping names of variables in
kolla_overcloud_inventory_pass_through_host_vars
to the variable to use in Kolla Ansible. If a variable name is not in this mapping the Kayobe name is used. The default is:kolla_overcloud_inventory_pass_through_host_vars_map: kolla_network_interface: "network_interface" kolla_api_interface: "api_interface" kolla_storage_interface: "storage_interface" kolla_cluster_interface: "cluster_interface" kolla_swift_storage_interface: "swift_storage_interface" kolla_swift_replication_interface: "swift_replication_interface" kolla_provision_interface: "provision_interface" kolla_inspector_dnsmasq_interface: "ironic_dnsmasq_interface" kolla_dns_interface: "dns_interface" kolla_tunnel_interface: "tunnel_interface" kolla_neutron_external_interfaces: "neutron_external_interface" kolla_neutron_bridge_names: "neutron_bridge_name"
Custom Group Variables
Group variables can be used to set configuration for all hosts in a
group. They can be set in Kolla Ansible by placing files in
${KAYOBE_CONFIG_PATH}/kolla/inventory/group_vars/*
. Since
this directory is copied directly into the Kolla Ansible inventory,
Kolla Ansible group names should be used. It should be noted that
extra-vars
and host_vars
take precedence over
group_vars
. For more information on variable precedence see
the Ansible documentation.
Example: configure a Nova cell
In Kolla Ansible, Nova cells are configured
<reference/compute/nova-cells-guide>
via group variables.
For example, to configure cell0001
the following file could
be created:
---
nova_cell_name: cell0001
nova_cell_novncproxy_group: cell0001-vnc
nova_cell_conductor_group: cell0001-control
nova_cell_compute_group: cell0001-compute
Passwords
Kolla Ansible auto-generates passwords to a file,
passwords.yml
. Kayobe handles the orchestration of this, as
well as encryption of the file using an Ansible Vault password specified
in the KAYOBE_VAULT_PASSWORD
environment variable, if
present. The file is generated to
$KAYOBE_CONFIG_PATH/kolla/passwords.yml
, and should be
stored along with other Kayobe configuration files. This file should not
be manually modified.
kolla_ansible_custom_passwords
-
Dictionary containing custom passwords to add or override in the Kolla passwords file. Default is
{{ kolla_ansible_default_custom_passwords }}
, which contains SSH keys for use by Kolla Ansible and Bifrost.
Configuring Custom Passwords
In order to write additional passwords to passwords.yml
,
set the kayobe variable kolla_ansible_custom_passwords
in
$KAYOBE_CONFIG_PATH/kolla.yml
.
---
# Dictionary containing custom passwords to add or override in the Kolla
# passwords file.
kolla_ansible_custom_passwords: >
{{ kolla_ansible_default_custom_passwords | combine({'my_custom_password': 'correcthorsebatterystaple'}) }}
Control Plane Services
Kolla Ansible provides a flexible mechanism for configuring the
services that it deploys. Kayobe adds some commonly required
configuration options to the defaults provided by Kolla Ansible, but
also allows for the free-form configuration supported by Kolla Ansible.
The Kolla Ansible
documentation <>
should be used as a reference.
Enabling Services
Services deployed by Kolla Ansible are enabled via flags.
kolla_enable_<service or feature>
-
There are various flags that can be used to enable features. These map to variables named
enable_<service or feature>
in Kolla Ansible. The default set of enabled services and features is the same as in Kolla ansible, except that Ironic is enabled by default in Kayobe.
Example: enabling a service
A common task is enabling a new OpenStack service. This may be done
via the kolla_enable_*
flags, for example:
---
kolla_enable_swift: true
Note that in some cases additional configuration may be required to
successfully deploy a service - check the Kolla Ansible
configuration reference <reference>
.
Service Configuration
Kolla-ansible's flexible configuration is described in the Kolla Ansible service configuration documentation
<admin/advanced-configuration.html#openstack-service-configuration-in-kolla>
.
We won't duplicate that here, but essentially it involves creating files
under a directory which for users of kayobe will be
$KOLLA_CONFIG_PATH/config
. In kayobe, files in this
directory are auto-generated and managed by kayobe. Instead, users
should create files under $KAYOBE_CONFIG_PATH/kolla/config
with the same directory structure. These files will be templated using
Jinja2, merged with kayobe's own configuration, and written out to
$KOLLA_CONFIG_PATH/config
.
The following files, if present, will be templated and provided to
Kolla Ansible. All paths are relative to
$KAYOBE_CONFIG_PATH/kolla/config
. Note that typically Kolla
Ansible does not use the same wildcard patterns, and has a more
restricted set of files that it will process. In some cases, it may be
necessary to inspect the Kolla Ansible configuration tasks to determine
which files are supported.
File | Purpose |
---|---|
aodh.conf |
Aodh configuration. |
aodh/* |
Extended Aodh configuration. |
backup.my.cnf |
Mariabackup configuration. |
barbican.conf |
Barbican configuration. |
barbican/* |
Extended Barbican configuration. |
blazar.conf |
Blazar configuration. |
blazar/* |
Extended Blazar configuration. |
ceilometer.conf |
Ceilometer configuration. |
ceilometer/* |
Extended Ceilometer configuration. |
cinder.conf |
Cinder configuration. |
cinder/* |
Extended Cinder configuration. |
cloudkitty.conf |
CloudKitty configuration. |
cloudkitty/* |
Extended CloudKitty configuration. |
designate.conf |
Designate configuration. |
designate/* |
Extended Designate configuration. |
fluentd/filter |
Fluentd filter configuration. |
fluentd/input |
Fluentd input configuration. |
fluentd/output |
Fluentd output configuration. |
galera.cnf |
MariaDB configuration. |
glance.conf |
Glance configuration. |
glance/* |
Extended Glance configuration. |
global.conf |
Global configuration for all OpenStack services. |
gnocchi.conf |
Gnocchi configuration. |
gnocchi/* |
Extended Gnocchi configuration. |
grafana.ini |
Grafana configuration. |
grafana/* |
Extended Grafana configuration. |
haproxy/* |
Main HAProxy configuration. |
haproxy-config/* |
Modular HAProxy configuration. |
heat.conf |
Heat configuration. |
heat/* |
Extended heat configuration. |
horizon/* |
Extended horizon configuration. |
influx* |
InfluxDB configuration. |
ironic-inspector.conf |
Ironic inspector configuration. |
ironic.conf |
Ironic configuration. |
ironic/* |
Extended ironic configuration. |
kafka.server.properties |
Kafka configuration. |
kafka/* |
Extended Kafka configuration. |
keepalived/* |
Extended keepalived configuration. |
keystone.conf |
Keystone configuration. |
keystone/* |
Extended keystone configuration. |
magnum.conf |
Magnum configuration. |
magnum/* |
Extended magnum configuration. |
manila.conf |
Manila configuration. |
manila/* |
Extended manila configuration. |
mariadb/* |
Extended MariaDB configuration. |
masakari.conf |
Masakari configuration. |
masakari/* |
Extended masakari configuration. |
monasca/* |
Extended Monasca configuration. |
murano.conf |
Murano configuration. |
murano/* |
Extended murano configuration. |
neutron.conf |
Neutron configuration. |
neutron/ml2_conf.ini |
Neutron ML2 configuration. |
neutron/* |
Extended neutron configuration. |
nova.conf |
Nova configuration. |
nova/* |
Extended nova configuration. |
octavia.conf |
Octavia configuration. |
octavia/* |
Extended Octavia configuration. |
sahara.conf |
Sahara configuration. |
sahara/* |
Extended sahara configuration. |
storm/* |
Extended Storm configuration. |
swift/* |
Extended swift configuration. |
zookeeper.cfg |
Zookeeper configuration. |
zookeeper/* |
Extended Zookeeper configuration. |
Configuring an OpenStack Component
To provide custom configuration to be applied to all glance services,
create $KAYOBE_CONFIG_PATH/kolla/config/glance.conf
. For
example:
[DEFAULT]
api_limit_max = 500
Configuring an OpenStack Service
To provide custom configuration for the glance API service, create
$KAYOBE_CONFIG_PATH/kolla/config/glance/glance-api.conf
.
For example:
[DEFAULT]
api_limit_max = 500