Zun role for OpenStack-Ansible¶
- tags:
openstack, zun, cloud, ansible
- category:
*nix
- 此 role 将安装以下 Systemd 服务
zun-server
zun-compute
要克隆或查看此仓库的源代码,请访问 os_zun 的 role 仓库。
默认变量¶
# Enable/Disable barbican configurations
zun_barbican_enabled: "{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}"
# Enable/Disable designate configurations
zun_designate_enabled: "{{ (groups['designate_all'] is defined) and (groups['designate_all'] | length > 0) }}"
# Notification topics for designate.
zun_notifications_designate: notifications_designate
# Enable/Disable ceilometer configurations
zun_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
## Verbosity Options
debug: false
# python venv executable
zun_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
zun_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
zun_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(zun_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
zun_package_state: "{{ package_state | default('latest') }}"
zun_git_repo: https://opendev.org/openstack/zun
zun_git_install_branch: master
zun_kuryr_git_repo: https://opendev.org/openstack/kuryr-libnetwork
zun_kuryr_git_install_branch: master
# This is only required until kuryr-libnetwork depends upon a version of kuryr-lib
# which includes https://review.opendev.org/c/openstack/kuryr/+/764908
zun_kuryr_lib_git_repo: https://opendev.org/openstack/kuryr
zun_kuryr_lib_git_install_branch: master
zun_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
zun_git_constraints:
- "--constraint {{ zun_upper_constraints_url }}"
zun_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
zun_venv_tag: "{{ venv_tag | default('untagged') }}"
zun_bin: "/openstack/venvs/zun-{{ zun_venv_tag }}/bin"
zun_fatal_deprecations: false
## Zun user information
zun_system_user_name: zun
zun_system_group_name: zun
zun_system_shell: /bin/false
zun_system_comment: zun system user
zun_system_home_folder: "/var/lib/{{ zun_system_user_name }}"
zun_system_slice_name: zun
zun_log_dir: "/var/log/zun"
zun_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
## Kuryr user information
zun_kuryr_system_user_name: root
zun_kuryr_system_group_name: root
zun_kuryr_system_shell: /bin/false
zun_kuryr_system_comment: kuryr system user
zun_kuryr_system_home_folder: "/var/lib/{{ zun_kuryr_system_user_name }}"
zun_kuryr_log_dir: "/var/log/kuryr"
## Docker setup information
zun_docker_package_version: "{{ _zun_docker_package_version }}"
zun_architecture_mapping:
x86_64: amd64
ppc64le: ppc64el
s390x: s390x
armv7l: armhf
aarch64: arm64
zun_containerd_package_version: "{{ _zun_containerd_package_version }}"
zun_kata_package_version: "3.16.0"
zun_kata_package_source: >-
https://github.com/kata-containers/kata-containers/releases/download/{{ zun_kata_package_version }}/kata-static-{{ zun_kata_package_version }}-{{
zun_architecture_mapping.get(ansible_facts['architecture']) }}.tar.xz
zun_kata_package_checksum_mapping:
x86_64: sha256:56cb69a7bb6d3364e92155e06283972e71654a88c70816a55f891f209a8f74db
ppc64le: sha256:858a95491a6764b95e5540423935e14b39b335287ef7d861a90b046f644d7d8e
s390x: sha256:b866b73f4af6b7418febb87c0c5d7af825f9e91066c3629dea3196b3b85b0192
aarch64: sha256:161875f74282015a5f4d86ca9d06f4e47626402eddaf5cccd288a5a3e82d87e0
zun_kata_enabled: "True"
# Set a list of users that are permitted to execute the docker binary.
zun_docker_users:
- "{{ zun_system_user_name }}"
- "{{ zun_kuryr_system_user_name }}"
# Set the docker api version. The default is false, which will result in no
# option being set in config for api servers. On compute hosts the docker api
# version will be used as determined by the client version information.
zun_docker_api_version: false
# Set the address for Docker to bind to. Used by the wsproxy console forwarder
zun_docker_bind_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_docker_bind_port: 2375
# Should Docker image cache data be periodically cleaned up?
zun_docker_prune_images: false
# Time period for which to clean up old Docker data. The options are hour, day,
# month, or year. (string value)
zun_docker_prune_frequency: hour
## Manually specified zun UID/GID
# Deployers can specify a UID for the zun user as well as the GID for the
# zun group if needed. This is commonly used in environments where shared
# storage is used, such as NFS or GlusterFS, and zun UID/GID values must be
# in sync between multiple servers.
#
# WARNING: Changing these values on an existing deployment can lead to
# failures, errors, and instability.
#
# zun_system_user_uid = <UID>
# zun_system_group_gid = <GID>
## Database info
zun_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}"
zun_db_setup_python_interpreter: >-
{{
openstack_db_setup_python_interpreter | default((zun_db_setup_host == 'localhost') | ternary(
ansible_playbook_python, ansible_facts['python']['executable']))
}}
zun_galera_address: "{{ galera_address | default('127.0.0.1') }}"
zun_galera_user: zun
zun_galera_database: zun
zun_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
zun_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
zun_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
zun_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"
# Toggle whether zun connects via an encrypted connection
zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
# The path where to store the database server CA certificate
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
zun_galera_port: "{{ galera_port | default('3306') }}"
## RabbitMQ info
## Configuration for RPC communications
zun_rpc_thread_pool_size: 64
zun_rpc_conn_pool_size: 30
zun_rpc_response_timeout: 60
## Oslo Messaging info
# RPC
zun_oslomsg_rpc_host_group: "{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}"
zun_oslomsg_rpc_setup_host: "{{ (zun_oslomsg_rpc_host_group in groups) | ternary(groups[zun_oslomsg_rpc_host_group][0], 'localhost') }}"
zun_oslomsg_rpc_transport: "{{ oslomsg_rpc_transport | default('rabbit') }}"
zun_oslomsg_rpc_servers: "{{ oslomsg_rpc_servers | default('127.0.0.1') }}"
zun_oslomsg_rpc_port: "{{ oslomsg_rpc_port | default('5672') }}"
zun_oslomsg_rpc_use_ssl: "{{ oslomsg_rpc_use_ssl | default(False) }}"
zun_oslomsg_rpc_userid: zun
# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues
# are not used - vhost name will be prefixed with leading `/`.
zun_oslomsg_rpc_vhost:
- name: /zun
state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: zun
state: "{{ zun_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
zun_oslomsg_rpc_ssl_version: "{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}"
zun_oslomsg_rpc_policies: []
# Notify
zun_oslomsg_notify_configure: "{{ oslomsg_notify_configure | default(zun_ceilometer_enabled or zun_designate_enabled) }}"
zun_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
zun_oslomsg_notify_setup_host: "{{ (zun_oslomsg_notify_host_group in groups) | ternary(groups[zun_oslomsg_notify_host_group][0], 'localhost') }}"
zun_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
zun_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
zun_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
zun_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
zun_oslomsg_notify_userid: "{{ zun_oslomsg_rpc_userid }}"
zun_oslomsg_notify_password: "{{ zun_oslomsg_rpc_password }}"
zun_oslomsg_notify_vhost: "{{ zun_oslomsg_rpc_vhost }}"
zun_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
zun_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
zun_oslomsg_notify_policies: []
## RabbitMQ integration
zun_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
zun_oslomsg_rabbit_stream_fanout: "{{ oslomsg_rabbit_stream_fanout | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_transient_quorum_queues: "{{ oslomsg_rabbit_transient_quorum_queues | default(zun_oslomsg_rabbit_stream_fanout) }}"
zun_oslomsg_rabbit_qos_prefetch_count: "{{ oslomsg_rabbit_qos_prefetch_count | default(zun_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}"
zun_oslomsg_rabbit_queue_manager: "{{ oslomsg_rabbit_queue_manager | default(zun_oslomsg_rabbit_quorum_queues) }}"
zun_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
zun_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
# If this is not set, then the playbook will try to guess it.
# zun_virt_type: kvm
## Zun Auth
zun_service_region: "{{ service_region | default('RegionOne') }}"
zun_service_project_name: "service"
zun_service_project_domain_id: default
zun_service_user_domain_id: default
zun_service_user_name: "zun"
zun_service_role_names:
- admin
- service
zun_service_token_roles:
- service
zun_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
## Zun Auth for kuryr
zun_kuryr_service_username: kuryr
## Keystone authentication middleware
zun_keystone_auth_plugin: password
## Zun WebSocket Proxy
zun_wsproxy_proto: "{{ (openstack_service_publicuri_proto | default('http') == 'https') | ternary('wss', 'ws') }}"
zun_wsproxy_port: 6784
zun_wsproxy_host: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_wsproxy_base_uri: "{{ zun_wsproxy_proto }}://{{ external_lb_vip_address }}:{{ zun_wsproxy_port }}"
## Zun v1
zun_service_name: zun
zun_service_type: container
zun_service_proto: http
zun_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(zun_service_proto) }}"
zun_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(zun_service_proto) }}"
zun_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(zun_service_proto) }}"
zun_service_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
zun_service_port: 9517
zun_kuryr_service_address: 127.0.0.1
zun_kuryr_service_port: 23750
zun_service_description: "Zun Compute Service"
zun_service_publicuri: "{{ zun_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ zun_service_port }}"
zun_service_publicurl: "{{ zun_service_publicuri }}"
zun_service_adminuri: "{{ zun_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_adminurl: "{{ zun_service_adminuri }}"
zun_service_internaluri: "{{ zun_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ zun_service_port }}"
zun_service_internalurl: "{{ zun_service_internaluri }}"
zun_service_endpoint_type: internalURL
## General Zun configuration
# Select between the 'runc' or 'kata' runtime
zun_container_runtime: runc
# If ``zun_osapi_compute_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_osapi_compute_workers: 16
# If ``zun_conductor_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_conductor_workers: 16
# If ``zun_metadata_workers`` is unset the system will use half the number of available VCPUS to
# compute the number of api workers to use.
# zun_metadata_workers: 16
## Cap the maximun number of threads / workers when a user value is unspecified.
zun_api_threads_max: 16
zun_api_threads: >-
{{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, zun_api_threads_max] | min }}
zun_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
zun_scheduler_default_filters: >-
AvailabilityZoneFilter,
ComputeFilter
zun_scheduler_available_filters: zun.scheduler.filters.all_filters
zun_scheduler_driver: filter_scheduler
## uWSGI setup
zun_wsgi_threads: 1
zun_wsgi_processes_max: 16
zun_wsgi_processes: "{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, zun_wsgi_processes_max] | min }}"
## Service Name-Group Mapping
zun_services:
kuryr-libnetwork:
group: zun_compute
service_name: kuryr-libnetwork
condition: "{{ inventory_hostname in groups['zun_compute'] }}"
init_config_overrides: "{{ zun_kuryr_init_defaults | combine(zun_kuryr_init_overrides, recursive=True) }}"
start_order: 3
wsgi_app: true
wsgi: kuryr_libnetwork.server:app
uwsgi_bind_address: "{{ zun_kuryr_service_address }}"
uwsgi_port: "{{ zun_kuryr_service_port }}"
uwsgi_overrides: "{{ zun_kuryr_uwsgi_conf_overrides }}"
uwsgi_uid: "{{ zun_kuryr_system_user_name }}"
uwsgi_guid: "{{ zun_kuryr_system_group_name }}"
zun-api:
group: zun_api
service_name: zun-api
init_config_overrides: "{{ zun_api_init_overrides }}"
start_order: 1
wsgi_app: true
wsgi: "zun.wsgi.api:application"
uwsgi_bind_address: "{{ zun_service_address }}"
uwsgi_port: "{{ zun_service_port }}"
uwsgi_overrides: "{{ zun_uwsgi_conf_overrides }}"
uwsgi_uid: "{{ zun_system_user_name }}"
uwsgi_guid: "{{ zun_system_group_name }}"
uwsgi_tls: "{{ zun_backend_ssl | ternary(zun_uwsgi_tls, {}) }}"
zun-compute:
group: zun_compute
service_name: zun-compute
init_config_overrides: "{{ zun_compute_init_overrides }}"
start_order: 5
execstarts: "{{ zun_bin }}/zun-compute --config-dir /etc/zun"
zun-wsproxy:
group: zun_api
service_name: zun-wsproxy
init_config_overrides: "{{ zun_wsproxy_init_overrides }}"
start_order: 2
execstarts: "{{ zun_bin }}/zun-wsproxy --config-dir /etc/zun"
zun-docker-cleanup:
group: zun_compute
service_name: zun-docker-cleanup
init_config_overrides: "{{ zun_docker_cleanup_init_overrides }}"
start_order: 6
execstarts: "{{ zun_bin }}/zun-docker-cleanup"
timer:
state: started
options:
OnBootSec: 30min
OnCalendar: "{{ (zun_docker_prune_frequency == 'day') | ternary('daily', zun_docker_prune_frequency + 'ly') }}"
Persistent: true
docker:
group: zun_compute
service_name: docker
init_config_overrides: {}
start_order: 4
systemd_overrides_only: true
systemd_overrides: "{{ zun_docker_init_defaults | combine(zun_docker_init_overrides, recursive=True) }}"
# Common pip packages
zun_pip_packages:
- "git+{{ zun_git_repo }}@{{ zun_git_install_branch }}#egg=zun"
- "git+{{ zun_kuryr_lib_git_repo }}@{{ zun_kuryr_lib_git_install_branch }}#egg=kuryr-lib"
- "git+{{ zun_kuryr_git_repo }}@{{ zun_kuryr_git_install_branch }}#egg=kuryr-libnetwork"
- oslo_rootwrap
- osprofiler
- python-memcached
- pymemcache
- python-zunclient
- pymysql
- systemd-python
zun_memcached_servers: "{{ memcached_servers }}"
## Default service options used within all systemd unit files.
zun_service_defaults: {}
## Tunable overrides for services
zun_zun_conf_overrides: {}
zun_rootwrap_conf_overrides: {}
zun_kuryr_conf_overrides: {}
zun_docker_config_overrides: {}
zun_kuryr_config_overrides: {}
zun_uwsgi_conf_overrides: {}
zun_kuryr_uwsgi_conf_overrides:
uwsgi:
pyargv: --config-file /etc/kuryr/kuryr.conf
zun_uwsgi_tls:
crt: "{{ zun_ssl_cert }}"
key: "{{ zun_ssl_key }}"
## Default zun+kuryr options used within the systemd unit file.
zun_kuryr_init_defaults:
Unit:
Before: docker.service
After: network-online.target
Wants: network-online.target
Service:
CapabilityBoundingSet: CAP_NET_ADMIN
AmbientCapabilities: CAP_NET_ADMIN
Group: "{{ zun_kuryr_system_group_name }}"
User: "{{ zun_kuryr_system_user_name }}"
## Default zun+docker options used within the systemd unit file.
zun_docker_init_defaults:
Service:
ExecStart:
- ""
- "/usr/bin/dockerd --group {{ zun_system_group_name }} -H tcp://{{ zun_docker_bind_host }}:{{ zun_docker_bind_port }} -H unix:///var/run/docker.sock{% if zun_kata_enabled %} --add-runtime kata=/opt/kata/bin/kata-runtime{% endif %}" # noqa: yaml[line-length]
## Tunable overrides for service unit files.
zun_api_paste_ini_overrides: {}
zun_api_init_overrides: {}
zun_wsproxy_init_overrides: {}
zun_compute_init_overrides: {}
zun_kuryr_init_overrides: {}
zun_docker_init_overrides: {}
zun_docker_cleanup_init_overrides: {}
zun_policy_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
zun_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# Storage location for SSL certificate authority
zun_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
zun_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# zun server certificate
zun_pki_keys_path: "{{ zun_pki_dir ~ '/certs/private/' }}"
zun_pki_certs_path: "{{ zun_pki_dir ~ '/certs/certs/' }}"
zun_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
zun_pki_regen_cert: ""
zun_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
zun_pki_certificates:
- name: "zun_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ zun_pki_san }}"
signed_by: "{{ zun_pki_intermediate_cert_name }}"
# zun destination files for SSL certificates
zun_ssl_cert: /etc/zun/zun.pem
zun_ssl_key: /etc/zun/zun.key
# Installation details for SSL certificates
zun_pki_install_certificates:
- src: "{{ zun_user_ssl_cert | default(zun_pki_certs_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ zun_ssl_cert }}"
owner: "{{ zun_system_user_name }}"
group: "{{ zun_system_user_name }}"
mode: "0644"
- src: "{{ zun_user_ssl_key | default(zun_pki_keys_path ~ 'zun_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ zun_ssl_key }}"
owner: "{{ zun_system_user_name }}"
group: "{{ zun_system_user_name }}"
mode: "0600"
# Define user-provided SSL certificates
# zun_user_ssl_cert: <path to cert on ansible deployment host>
# zun_user_ssl_key: <path to cert on ansible deployment host>
依赖项¶
此角色需要在目标主机上安装 pip >= 7.1。
示例 playbook¶
---
- name: Gather zun facts
hosts: zun_all
gather_facts: true
tags:
- always
- name: Install zun services
hosts: zun_all
gather_facts: false
serial:
- 1
- "100%"
user: root
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- zun
roles:
- role: "os_zun"
CPU 平台兼容性¶
此 role 支持多种 CPU 架构类型。部署中使用的每种 CPU 类型至少需要一个 repo_build 节点。
- 当前支持的 CPU 架构
x86_64 / amd64
ppc64le
目前,ppc64le 仅支持 Compute 节点类型。它不能用于管理 OpenStack-Ansible 管理节点。
Compute 驱动兼容性¶
此 role 支持多种 zun compute 驱动类型。支持以下 compute 驱动程序
libvirt (默认)
ironic
lxd (通过 zun-lxd)
powervm (通过 zun-powervm)
对于以下 compute 驱动类型,OpenStack Ansible Nova role 会自动检测驱动类型
libvirt (kvm / qemu)
powervm
对于这些平台,可以使用任意组合的 compute 节点类型,除了 ironic 之外。
如果使用 lxd 驱动程序,则必须使用 zun_virt_type 变量指定 compute 类型。
可以在 /etc/openstack_deploy/user_variables.yml 中设置 zun_virt_type,例如
zun_virt_type: lxd
可以使用 host_vars 在 /etc/openstack_deploy/openstack_user_config.yml 中按主机设置 zun_virt_type。例如
compute_hosts: aio1: ip: 172.29.236.100 host_vars: zun_virt_type: lxd
如果 zun_virt_type 在 /etc/openstack_deploy/user_variables.yml 中设置,则部署中的所有节点都设置为该 hypervisor 类型。在 /etc/openstack_deploy/user_variables.yml 和 /etc/openstack_deploy/openstack_user_config.yml 中设置 zun_virt_type 将始终导致 /etc/openstack_deploy/user_variables.yml 中指定的值在所有主机上设置。
