Zun role for OpenStack-Ansible

tags:

openstack, zun, cloud, ansible

category:

*nix

This role will install the following Systemd services:
  • zun-server

  • zun-compute

To clone or view the source code for this repository, visit the role repository for os_zun.

Default variables

# Enable/Disable barbican configurations
zun_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}"
# Enable/Disable designate configurations
zun_designate_enabled: "{{ (groups['designate_all'] is defined) and (groups['designate_all'] | length > 0) }}"
# Notification topics for designate.
zun_notifications_designate: notifications_designate
# Enable/Disable ceilometer configurations
zun_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"

## Verbosity Options
debug: False

# python venv executable
zun_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"

# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
zun_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
zun_service_setup_host_python_interpreter: >-
  {{
    openstack_service_setup_host_python_interpreter | default(
      (zun_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
  }}

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
zun_package_state: "{{ package_state | default('latest') }}"

zun_git_repo: https://opendev.org/openstack/zun
zun_git_install_branch: master

zun_kuryr_git_repo: https://opendev.org/openstack/kuryr-libnetwork
zun_kuryr_git_install_branch: master

# This is only required until kuryr-libnetwork depends upon a version of kuryr-lib
# which includes https://review.opendev.org/c/openstack/kuryr/+/764908
zun_kuryr_lib_git_repo: https://opendev.org/openstack/kuryr
zun_kuryr_lib_git_install_branch: master

zun_upper_constraints_url: >-
  {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
zun_git_constraints:
  - "--constraint {{ zun_upper_constraints_url }}"

zun_pip_install_args: "{{ pip_install_options | default('') }}"

# Name of the virtual env to deploy into
zun_venv_tag: "{{ venv_tag | default('untagged') }}"
zun_bin: "/openstack/venvs/zun-{{ zun_venv_tag }}/bin"

zun_fatal_deprecations: False

## Zun user information
zun_system_user_name: zun
zun_system_group_name: zun
zun_system_shell: /bin/false
zun_system_comment: zun system user
zun_system_home_folder: "/var/lib/{{ zun_system_user_name }}"
zun_system_slice_name: zun
zun_log_dir: "/var/log/zun"

zun_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"

## Kuryr user information
zun_kuryr_system_user_name: kuryr
zun_kuryr_system_group_name: kuryr
zun_kuryr_system_shell: /bin/false
zun_kuryr_system_comment: kuryr system user
zun_kuryr_system_home_folder: "/var/lib/{{ zun_kuryr_system_user_name }}"
zun_kuryr_log_dir: "/var/log/kuryr"

## Docker setup information
zun_docker_package_version: "{{ _zun_docker_package_version }}"
zun_containerd_package_version: "{{ _zun_containerd_package_version }}"
zun_kata_package_version: "3.1.0"
zun_kata_package_source: >-
  https://github.com/kata-containers/kata-containers/releases/download/{{ zun_kata_package_version }}/kata-static-{{ zun_kata_package_version }}-x86_64.tar.xz
zun_kata_package_checksum: sha256:452cc850e021539c14359d016aba18ddba128f59aa9ab637738296d9b5cd78a0
zun_kata_enabled: "True"

# Set a list of users that are permitted to execute the docker binary.
zun_docker_users:
  - "{{ zun_system_user_name }}"
  - "{{ zun_kuryr_system_user_name }}"

# Set the docker api version. The default is false, which will result in no
# option being set in config for api servers. On compute hosts the docker api
# version will be used as determined by the client version information.
zun_docker_api_version: false

# Set the address for Docker to bind to. Used by the wsproxy console forwarder
zun_docker_bind_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_docker_bind_port: 2375

# Should Docker image cache data be periodically cleaned up?
zun_docker_prune_images: False

# Time period for which to clean up old Docker data. The options are hour, day,
# month, or year. (string value)
zun_docker_prune_frequency: hour

## Manually specified zun UID/GID
# Deployers can specify a UID for the zun user as well as the GID for the
# zun group if needed. This is commonly used in environments where shared
# storage is used, such as NFS or GlusterFS, and zun UID/GID values must be
# in sync between multiple servers.
#
# WARNING: Changing these values on an existing deployment can lead to
#          failures, errors, and instability.
#
# zun_system_user_uid = <UID>
# zun_system_group_gid = <GID>

## Database info
zun_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
zun_db_setup_python_interpreter: >-
  {{
    openstack_db_setup_python_interpreter | default((zun_db_setup_host == 'localhost') | ternary(
      ansible_playbook_python, ansible_facts['python']['executable']))
  }}
zun_galera_address: "{{ galera_address | default('127.0.0.1') }}"
zun_galera_user: zun
zun_galera_database: zun
zun_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
zun_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
zun_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
zun_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
# Toggle whether zun connects via an encrypted connection
zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
# The path where to store the database server CA certificate
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
zun_galera_port: "{{ galera_port | default('3306') }}"

## RabbitMQ info

## Configuration for RPC communications
zun_rpc_thread_pool_size: 64
zun_rpc_conn_pool_size: 30
zun_rpc_response_timeout: 60

## Oslo Messaging info

# RPC
zun_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
zun_oslomsg_rpc_setup_host: "{{ (zun_oslomsg_rpc_host_group in groups) | ternary(groups[zun_oslomsg_rpc_host_group][0], 'localhost') }}"
zun_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
zun_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
zun_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
zun_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
zun_oslomsg_rpc_userid: zun
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
zun_oslomsg_rpc_vhost:
  - name: /zun
    state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
  - name: zun
    state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
zun_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
zun_oslomsg_rpc_policies: []

# Notify
zun_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(zun_ceilometer_enabled or zun_designate_enabled) }}"
zun_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
zun_oslomsg_notify_setup_host: "{{ (zun_oslomsg_notify_host_group in groups) | ternary(groups[zun_oslomsg_notify_host_group][0], 'localhost') }}"
zun_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
zun_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
zun_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
zun_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
zun_oslomsg_notify_userid: "{{ zun_oslomsg_rpc_userid }}"
zun_oslomsg_notify_password: "{{ zun_oslomsg_rpc_password }}"
zun_oslomsg_notify_vhost: "{{ zun_oslomsg_rpc_vhost }}"
zun_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
zun_oslomsg_notify_policies: []

## RabbitMQ integration
zun_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
zun_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(zun_oslomsg_rabbit_stream_fanout) }}"
zun_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(zun_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
zun_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
zun_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"

# If this is not set, then the playbook will try to guess it.
# zun_virt_type: kvm

## Zun Auth
zun_service_region: "{{ service_region | default('RegionOne') }}"
zun_service_project_name: "service"
zun_service_project_domain_id: default
zun_service_user_domain_id: default
zun_service_user_name: "zun"
zun_service_role_names:
  - admin
  - service
zun_service_token_roles:
  - service
zun_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"

## Zun Auth for kuryr
zun_kuryr_service_username: kuryr

## Keystone authentication middleware
zun_keystone_auth_plugin: password

## Zun WebSocket Proxy
zun_wsproxy_proto: "{{ (openstack_service_publicuri_proto | default('http') == 'https') | ternary('wss', 'ws') }}"
zun_wsproxy_port: 6784
zun_wsproxy_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_wsproxy_base_uri: "{{ zun_wsproxy_proto }}://{{ external_lb_vip_address }}:{{ zun_wsproxy_port }}"

## Zun v1
zun_service_name: zun
zun_service_type: container
zun_service_proto: http
zun_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(zun_service_proto) }}"
zun_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(zun_service_proto) }}"
zun_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(zun_service_proto) }}"
zun_service_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_service_port: 9517
zun_kuryr_service_address: 127.0.0.1
zun_kuryr_service_port: 23750
zun_service_description: "Zun Compute Service"
zun_service_publicuri: "{{ zun_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ zun_service_port }}"
zun_service_publicurl: "{{ zun_service_publicuri }}"
zun_service_adminuri: "{{ zun_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_adminurl: "{{ zun_service_adminuri }}"
zun_service_internaluri: "{{ zun_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_internalurl: "{{ zun_service_internaluri }}"
zun_service_endpoint_type: internalURL

## General Zun configuration
# Select between the 'runc' or 'kata' runtime
zun_container_runtime: runc

# If ``zun_osapi_compute_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_osapi_compute_workers: 16

# If ``zun_conductor_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_conductor_workers: 16

# If ``zun_metadata_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_metadata_workers: 16

## Cap the maximun number of threads / workers when a user value is unspecified.
zun_api_threads_max: 16
zun_api_threads: >-
  {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, zun_api_threads_max] | min }}

zun_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"

zun_scheduler_default_filters: >-
  AvailabilityZoneFilter,
  ComputeFilter
zun_scheduler_available_filters: zun.scheduler.filters.all_filters
zun_scheduler_driver: filter_scheduler

## uWSGI setup
zun_wsgi_threads: 1
zun_wsgi_processes_max: 16
zun_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, zun_wsgi_processes_max] | min }}"

## Service Name-Group Mapping
zun_services:
  kuryr-libnetwork:
    group: zun_compute
    service_name: kuryr-libnetwork
    condition: "{{ inventory_hostname in groups['zun_compute'] }}"
    init_config_overrides: "{{ zun_kuryr_init_defaults | combine(zun_kuryr_init_overrides, recursive=True) }}"
    start_order: 3
    wsgi_app: True
    wsgi: kuryr_libnetwork.server:app
    uwsgi_bind_address: "{{ zun_kuryr_service_address }}"
    uwsgi_port: "{{ zun_kuryr_service_port }}"
    uwsgi_overrides: "{{ zun_kuryr_uwsgi_conf_overrides }}"
    uwsgi_uid: "{{ zun_kuryr_system_user_name }}"
    uwsgi_guid: "{{ zun_kuryr_system_group_name }}"
  zun-api:
    group: zun_api
    service_name: zun-api
    init_config_overrides: "{{ zun_api_init_overrides }}"
    start_order: 1
    wsgi_app: True
    wsgi_path: "{{ zun_bin }}/zun-api-wsgi"
    uwsgi_bind_address: "{{ zun_service_address }}"
    uwsgi_port: "{{ zun_service_port }}"
    uwsgi_overrides: "{{ zun_uwsgi_conf_overrides }}"
    uwsgi_uid: "{{ zun_system_user_name }}"
    uwsgi_guid: "{{ zun_system_group_name }}"
    uwsgi_tls: "{{ zun_backend_ssl | ternary(zun_uwsgi_tls, {}) }}"
  zun-compute:
    group: zun_compute
    service_name: zun-compute
    init_config_overrides: "{{ zun_compute_init_overrides }}"
    start_order: 5
    execstarts: "{{ zun_bin }}/zun-compute --config-dir /etc/zun"
  zun-wsproxy:
    group: zun_api
    service_name: zun-wsproxy
    init_config_overrides: "{{ zun_wsproxy_init_overrides }}"
    start_order: 2
    execstarts: "{{ zun_bin }}/zun-wsproxy --config-dir /etc/zun"
  zun-docker-cleanup:
    group: zun_compute
    service_name: zun-docker-cleanup
    init_config_overrides: "{{ zun_docker_cleanup_init_overrides }}"
    start_order: 6
    execstarts: "{{ zun_bin }}/zun-docker-cleanup"
    timer:
      state: started
      options:
        OnBootSec: 30min
        OnCalendar: "{{ (zun_docker_prune_frequency == 'day') | ternary('daily', zun_docker_prune_frequency + 'ly') }}"
        Persistent: true
  docker:
    group: zun_compute
    service_name: docker
    init_config_overrides: {}
    start_order: 4
    systemd_overrides_only: True
    systemd_overrides: "{{ zun_docker_init_defaults | combine(zun_docker_init_overrides, recursive=True) }}"

# Common pip packages
zun_pip_packages:
  - "git+{{ zun_git_repo }}@{{ zun_git_install_branch }}#egg=zun"
  - "git+{{ zun_kuryr_lib_git_repo }}@{{ zun_kuryr_lib_git_install_branch }}#egg=kuryr-lib"
  - "git+{{ zun_kuryr_git_repo }}@{{ zun_kuryr_git_install_branch }}#egg=kuryr-libnetwork"
  - oslo_rootwrap
  - osprofiler
  - python-memcached
  - pymemcache
  - python-zunclient
  - pymysql
  - systemd-python

zun_memcached_servers: "{{ memcached_servers }}"

## Default service options used within all systemd unit files.
zun_service_defaults: {}

## Tunable overrides for services
zun_zun_conf_overrides: {}
zun_rootwrap_conf_overrides: {}
zun_kuryr_conf_overrides: {}
zun_docker_config_overrides: {}
zun_kuryr_config_overrides: {}
zun_uwsgi_conf_overrides: {}
zun_kuryr_uwsgi_conf_overrides:
  uwsgi:
    pyargv: --config-file /etc/kuryr/kuryr.conf
zun_uwsgi_tls:
  crt: "{{ zun_ssl_cert }}"
  key: "{{ zun_ssl_key }}"

## Default zun+kuryr options used within the systemd unit file.
zun_kuryr_init_defaults:
  Unit:
    Before: docker.service
    After: network-online.target
    Wants: network-online.target
  Service:
    CapabilityBoundingSet: CAP_NET_ADMIN
    AmbientCapabilities: CAP_NET_ADMIN
    Group: "{{ zun_kuryr_system_group_name }}"
    User: "{{ zun_kuryr_system_user_name }}"

# Key-value storage for docker swarm standalone mode.
# Possible options: zk, etcd and consul
zun_docker_kv_storage: etcd
zun_docker_kv_port: 2379
zun_docker_kv_group: zun_api

## Default zun+docker options used within the systemd unit file.
zun_docker_init_defaults:
  Service:
    ExecStart:
      - ""
      - "/usr/bin/dockerd --group {{ zun_system_group_name }} -H tcp://{{ zun_docker_bind_host }}:{{ zun_docker_bind_port }} -H unix:///var/run/docker.sock --cluster-store {{ zun_docker_kv_storage }}://{% for item in groups[zun_docker_kv_group] %}{{ hostvars[item]['management_address'] }}:{{ zun_docker_kv_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if zun_kata_enabled %} --add-runtime kata=/opt/kata/bin/kata-runtime{% endif %}" # noqa: yaml[line-length]

## Tunable overrides for service unit files.
zun_api_paste_ini_overrides: {}
zun_api_init_overrides: {}
zun_wsproxy_init_overrides: {}
zun_compute_init_overrides: {}
zun_kuryr_init_overrides: {}
zun_docker_init_overrides: {}
zun_docker_cleanup_init_overrides: {}
zun_policy_overrides: {}

###
### Backend TLS
###

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
zun_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
zun_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
zun_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# zun server certificate
zun_pki_keys_path: "{{ zun_pki_dir ~ '/certs/private/' }}"
zun_pki_certs_path: "{{ zun_pki_dir ~ '/certs/certs/' }}"
zun_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
zun_pki_regen_cert: ''
zun_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
zun_pki_certificates:
  - name: "zun_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ zun_pki_san }}"
    signed_by: "{{ zun_pki_intermediate_cert_name }}"

# zun destination files for SSL certificates
zun_ssl_cert: /etc/zun/zun.pem
zun_ssl_key: /etc/zun/zun.key

# Installation details for SSL certificates
zun_pki_install_certificates:
  - src: "{{ zun_user_ssl_cert | default(zun_pki_certs_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ zun_ssl_cert }}"
    owner: "{{ zun_system_user_name }}"
    group: "{{ zun_system_user_name }}"
    mode: "0644"
  - src: "{{ zun_user_ssl_key | default(zun_pki_keys_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ zun_ssl_key }}"
    owner: "{{ zun_system_user_name }}"
    group: "{{ zun_system_user_name }}"
    mode: "0600"

# Define user-provided SSL certificates
# zun_user_ssl_cert: <path to cert on ansible deployment host>
# zun_user_ssl_key: <path to cert on ansible deployment host>

Dependencies

This role needs pip >= 7.1 installed on the target host.

Example playbook

---

- name: Gather zun facts
  hosts: zun_all
  gather_facts: True
  tags:
    - always

- name: Install zun services
  hosts: zun_all
  gather_facts: False
  serial:
    - 1
    - "100%"
  user: root
  environment: "{{ deployment_environment_variables | default({}) }}"
  tags:
    - zun
  roles:
    - role: "os_zun"

Tags

This role supports two tags: zun-install and zun-config

The zun-install tag can be used to install and upgrade.

The zun-config tag can be used to manage configuration.

CPU platform compatibility

This role supports multiple CPU architecture types. At least one repo_build node must exist for each CPU type that is in use in the deployment.

Currently supported CPU architectures:
  • x86_64 / amd64

  • ppc64le

At this time, ppc64le is only supported for the Compute node type. It can not be used to manage the OpenStack-Ansible management nodes.

Compute driver compatibility

This role supports multiple zun compute driver types. The following compute drivers are supported:

  • libvirt (default)

  • ironic

  • lxd (via zun-lxd)

  • powervm (via zun-powervm)

The driver type is automatically detected by the OpenStack Ansible Nova role for the following compute driver types:

  • libvirt (kvm / qemu)

  • powervm

Any mix and match of compute node types can be used for those platforms, except for ironic.

If using the lxd driver, the compute type must be specified using the zun_virt_type variable.

The zun_virt_type may be set in /etc/openstack_deploy/user_variables.yml, for example:

zun_virt_type: lxd

You can set zun_virt_type per host by using host_vars in /etc/openstack_deploy/openstack_user_config.yml. For example:

compute_hosts:
 aio1:
   ip: 172.29.236.100
   host_vars:
     zun_virt_type: lxd

If zun_virt_type is set in /etc/openstack_deploy/user_variables.yml, all nodes in the deployment are set to that hypervisor type. Setting zun_virt_type in both /etc/openstack_deploy/user_variables.yml and /etc/openstack_deploy/openstack_user_config.yml will always result in the value specified in /etc/openstack_deploy/user_variables.yml being set on all hosts.