Group and node type variables for nova-compute hypervisors

etc/kayobe/compute.yml

@@ -66,6 +66,18 @@ compute_network_interfaces: >
 # List of compute volume groups. See mrlesmithjr.manage-lvm role for
 # format.
 #compute_lvm_groups:
+controller_lvm_groups:
+  - vgname: nova-compute
+    disks:
+      - /dev/sdb
+    create: true
+    lvnames:
+      - lvname: nova-compute-0
+        size: "100%FREE"
+        create: true
+        mount: true
+        filesystem: ext4
+        mntp: /var/lib/nova
 
 # Default list of compute volume groups. See mrlesmithjr.manage-lvm role for
 # format.

etc/kayobe/inventory/group_vars/compute/firewall

+---
+
+firewallgen_enable_firewall: True
+
+firewallgen_ipv4_input_allow_rules:
+  - interface: "lo"
+    port: 25
+    proto: tcp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'master'"
+  - interface: "lo"
+    port: 6633
+    proto: tcp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'neutron-openvsw' in docker container 'neutron_openvswitch_agent'"
+  - interface: "lo"
+    port: 6640
+    proto: tcp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'ovsdb-server' in docker container 'openvswitch_db'"
+  - interface: "{{ admin_oc_net_interface }}"
+    port: 22
+    proto: tcp
+    comment: "hint: used by 'sshd'"
+  - interface: "{{ internal_net_interface }}"
+    port: 8022
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'sshd' in docker container 'nova_ssh'"
+  - interface: "{{ internal_net_interface }}"
+    port: 9100
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'node_exporter' in docker container 'prometheus_node_exporter'"
+  - interface: "{{ internal_net_interface }}"
+    port: 9177
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'libvirt_exporte' in docker container 'prometheus_libvirt_exporter'"
+  - interface: "{{ internal_net_interface }}"
+    port: 16509
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'libvirtd' in docker container 'nova_libvirt'"
+  - interface: "{{ internal_net_name | net_interface }}"
+    port: 9197
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'mtail' in docker container 'prometheus_mtail'"
+  - interface: "{{ internal_net_name | net_interface }}"
+    port: 18080
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'cadvisor' in docker container 'prometheus_cadvisor'"
+  - interface: "{{ internal_net_name | net_interface }}"
+    port: 49152:49215
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "Nova live migration"
+  - interface: "{{ internal_net_name | net_interface }}"
+    port: 5900:6000
+    proto: tcp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "libvirt serial consoles"
+  - interface: "docker0"
+    port: 123
+    proto: udp
+    destination: "172.17.0.1"
+    comment: "hint: used by 'ntpd'"
+  - interface: "lo"
+    port: 123
+    proto: udp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'ntpd'"
+  - interface: "lo"
+    port: 323
+    proto: udp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'chronyd' in docker container 'chrony'"
+  - interface: "lo"
+    port: 5140
+    proto: udp
+    destination: "127.0.0.1"
+    comment: "hint: used by 'fluentd' in docker container 'fluentd'"
+  - interface: "{{ internal_net_interface }}"
+    port: 123
+    proto: udp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'ntpd'"
+  - interface: "{{ internal_net_interface }}"
+    port: 5140
+    proto: udp
+    destination: "{{ internal_net_name | net_ip }}"
+    comment: "hint: used by 'fluentd' in docker container 'fluentd'"
+  - interface: "{{ tunnel_net_name | net_interface }}"
+    port: 4789
+    proto: udp
+    destination: "{{ tunnel_net_name | net_ip }}"
+    comment: "required for VXLANs to work"

etc/kayobe/inventory/group_vars/compute/firewallgen

+--
+
+firewallgen_libvirt_serial_console_range_start: 5900
+firewallgen_libvirt_serial_console_range_end: 6000
+
+firewallgen_nova_migrate_range_start: 49152
+firewallgen_nova_migrate_range_end: 49215
+
+firewallgen_ipv4_input_allow_rewrite_rules_compute:
+  # systemd socket activation for portmapper service
+  - '. | map(select(.port != 111))'
+  # drop 4789 and add explictly it the custom_rules_extra
+  - '. | map(select(.port != 4789))'
+  # libvirt serial console range is added explictly (see below)
+  - >-
+    . | map(select(.port < {{ firewallgen_libvirt_serial_console_range_start }}  or
+                   .port > {{ firewallgen_libvirt_serial_console_range_end }} ))
+
+firewallgen_ipv4_input_allow_rewrite_rules: >
+  {{ firewallgen_ipv4_input_allow_rewrite_rules_compute +
+  firewallgen_ipv4_input_allow_rewrite_rules_all }}
+
+firewallgen_ipv4_input_allow_custom_rules_extra:
+  # Libvirt serial consoles, based on:
+  # https://blog.scottlowe.org/2013/09/10/adjusting-vnc-console-access-via-libvirt-xml/
+  # https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/qemu/qemu.conf#l387
+  - interface: "{{ firewallgen_interface_tmpl % 'internal_net_name' }}"
+    port: "{{ firewallgen_libvirt_serial_console_range_start }}:{{ firewallgen_libvirt_serial_console_range_end }}"
+    proto: tcp
+    destination: "{% raw %}{{ internal_net_name | net_ip }}{% endraw %}"
+    comment: libvirt serial consoles
+
+  - interface: "{{ firewallgen_interface_tmpl % 'tunnel_net_name' }}"
+    destination: "{% raw %}{{ tunnel_net_name | net_ip }}{% endraw %}"
+    port: 4789
+    proto: udp
+    comment: required for VXLANs to work
+
+  - interface: "{{ firewallgen_interface_tmpl % 'internal_net_name' }}"
+    port: "{{ firewallgen_nova_migrate_range_start }}:{{ firewallgen_nova_migrate_range_end }}"
+    proto: tcp
+    destination: "{% raw %}{{ internal_net_name | net_ip }}{% endraw %}"
+    comment: Nova live migration

etc/kayobe/inventory/group_vars/compute/lvm

 ---
 nova_instance_datadir_volume: /var/lib/nova
-
-compute_lvm_groups:
-  - vgname: instances-disk
-    disks:
-      - /dev/sdb
-    create: true
-    lvnames:
-      - lvname: instances-disk-0
-        size: "100%FREE"
-        create: true
-        mount: true
-        filesystem: ext4
-        mntp: "{{ nova_instance_datadir_volume }}"

etc/kayobe/inventory/group_vars/compute/network-interfaces

@@ -2,30 +2,26 @@
 ###############################################################################
 # Network interface definitions for the compute group.
 
-# Overcloud provisioning network IP information.
-# provision_oc_net_interface:
-# provision_oc_net_bridge_ports:
-# provision_oc_net_bond_slaves:
+# Bond on dual 10gbE port
+br_net_interface: brbond0
+br_net_bridge_ports:
+  - bond0
 
-# Internal network IP information.
-# internal_net_interface:
-# internal_net_bridge_ports:
-# internal_net_bond_slaves:
+bond0_net_interface: bond0
+bond0_net_bond_slaves:
+  - eno1
+  - eno2
 
-# External network IP information.
-# external_net_interface:
-# external_net_bridge_ports:
-# external_net_bond_slaves:
+compute_1gbe_interface: eno3
 
-# Storage network IP information.
-# storage_net_interface:
-# storage_net_bridge_ports:
-# storage_net_bond_slaves:
+# Admin network IP information.
+admin_oc_net_interface: "{{ compute_1gbe_interface }}.{{ admin_oc_net_vlan }}"
+admin_oc_net_gateway: "10.{{ admin_oc_net_vlan }}.0.1"
 
-# Ceph storage network IP information.
-# ceph_storage_net_interface:
-# ceph_storage_net_bridge_ports:
-# ceph_storage_net_bond_slaves:
+# Overcloud networks on bond bridge
+internal_net_interface: "{{ br_net_interface }}.{{ internal_net_vlan }}"
+tunnel_net_interface: "{{ br_net_interface }}.{{ tunnel_net_vlan }}"
+storage_net_interface: "{{ br_net_interface }}.{{ storage_net_vlan }}"
 
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.