Source code for heat.common.config

#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

"""Routines for configuring Heat."""
import os

from eventlet.green import socket
from oslo_config import cfg
from oslo_db import options as oslo_db_ops
from oslo_log import log as logging
from oslo_middleware import cors
from oslo_policy import opts as policy_opts
from osprofiler import opts as profiler

from heat.common import exception
from heat.common.i18n import _
from heat.common import wsgi


LOG = logging.getLogger(__name__)
paste_deploy_group = cfg.OptGroup('paste_deploy')
paste_deploy_opts = [
    cfg.StrOpt('flavor',
               help=_("The flavor to use.")),
    cfg.StrOpt('api_paste_config', default="api-paste.ini",
               help=_("The API paste config file to use."))]


service_opts = [
    cfg.IntOpt('periodic_interval',
               default=60,
               help=_('Seconds between running periodic tasks.')),
    cfg.StrOpt('heat_metadata_server_url',
               help=_('URL of the Heat metadata server. '
                      'NOTE: Setting this is only needed if you require '
                      'instances to use a different endpoint than in the '
                      'keystone catalog')),
    cfg.StrOpt('heat_waitcondition_server_url',
               help=_('URL of the Heat waitcondition server.')),
    cfg.StrOpt('instance_connection_is_secure',
               default="0",
               help=_('Instance connection to CFN/CW API via https.')),
    cfg.StrOpt('instance_connection_https_validate_certificates',
               default="1",
               help=_('Instance connection to CFN/CW API validate certs if '
                      'SSL is used.')),
    cfg.StrOpt('region_name_for_services',
               help=_('Default region name used to get services endpoints.')),
    cfg.StrOpt('region_name_for_shared_services',
               help=_('Region name for shared services endpoints.')),
    cfg.ListOpt('shared_services_types',
                default=['image', 'volume', 'volumev3'],
                help=_('The shared services located in the other region.'
                       'Needs region_name_for_shared_services option to '
                       'be set for this to take effect.')),
    cfg.StrOpt('heat_stack_user_role',
               default="heat_stack_user",
               help=_('Keystone role for heat template-defined users.')),
    cfg.StrOpt('stack_user_domain_id',
               deprecated_opts=[cfg.DeprecatedOpt('stack_user_domain',
                                                  group=None)],
               help=_('Keystone domain ID which contains heat '
                      'template-defined users. If this option is set, '
                      'stack_user_domain_name option will be ignored.')),
    cfg.StrOpt('stack_user_domain_name',
               help=_('Keystone domain name which contains heat '
                      'template-defined users. If `stack_user_domain_id` '
                      'option is set, this option is ignored.')),
    cfg.StrOpt('stack_domain_admin',
               help=_('Keystone username, a user with roles sufficient to '
                      'manage users and projects in the stack_user_domain.')),
    cfg.StrOpt('stack_domain_admin_password',
               secret=True,
               help=_('Keystone password for stack_domain_admin user.')),
    cfg.IntOpt('max_template_size',
               default=524288,
               help=_('Maximum raw byte size of any template.')),
    cfg.IntOpt('max_nested_stack_depth',
               default=5,
               help=_('Maximum depth allowed when using nested stacks.')),
    cfg.FloatOpt('template_fetch_timeout',
                 default=60,
                 min=0,
                 help=_('Timeout in seconds for template download.')),
    cfg.IntOpt('num_engine_workers',
               help=_('Number of heat-engine processes to fork and run. '
                      'Will default to either to 4 or number of CPUs on '
                      'the host, whichever is greater.')),
    cfg.StrOpt('server_keystone_endpoint_type',
               choices=['', 'public', 'internal', 'admin'],
               default='',
               help=_('If set, is used to control which authentication '
                      'endpoint is used by user-controlled servers to make '
                      'calls back to Heat. '
                      'If unset www_authenticate_uri is used.'))]

engine_opts = [
    cfg.ListOpt('plugin_dirs',
                default=['/usr/lib64/heat', '/usr/lib/heat',
                         '/usr/local/lib/heat', '/usr/local/lib64/heat'],
                help=_('List of directories to search for plug-ins.')),
    cfg.StrOpt('environment_dir',
               default='/etc/heat/environment.d',
               help=_('The directory to search for environment files.')),
    cfg.StrOpt('template_dir',
               default='/etc/heat/templates',
               help=_('The directory to search for template files.')),
    cfg.StrOpt('deferred_auth_method',
               choices=['password', 'trusts'],
               default='trusts',
               deprecated_for_removal=True,
               deprecated_reason='Stored password based deferred auth is '
                                 'broken when used with keystone v3 and '
                                 'is not supported.',
               deprecated_since='9.0.0',
               help=_('Select deferred auth method, '
                      'stored password or trusts.')),
    cfg.StrOpt('reauthentication_auth_method',
               choices=['', 'trusts'],
               default='',
               help=_('Allow reauthentication on token expiry, such that'
                      ' long-running tasks may complete. Note this defeats'
                      ' the expiry of any provided user tokens.')),
    cfg.BoolOpt('allow_trusts_redelegation',
                default=False,
                help=_('Create trusts with redelegation enabled. '
                       'This option is only used when '
                       'reauthentication_auth_method is set to "trusts". '
                       'Note that enabling this option does have '
                       'security implications as all trusts created by Heat '
                       'will use both impersonation and redelegation enabled. '
                       'Enable it only when there are other services that '
                       'need to create trusts from tokens Heat uses to '
                       'access them, examples are Aodh and Heat in another '
                       'region when configured to use trusts too.')),
    cfg.ListOpt('trusts_delegated_roles',
                default=[],
                help=_('Subset of trustor roles to be delegated to heat.'
                       ' If left unset, all roles of a user will be'
                       ' delegated to heat when creating a stack.')),
    cfg.IntOpt('max_resources_per_stack',
               default=1000,
               help=_('Maximum resources allowed per top-level stack. '
                      '-1 stands for unlimited.')),
    cfg.IntOpt('max_stacks_per_tenant',
               default=512,
               help=_('Maximum number of stacks any one tenant may have '
                      'active at one time. -1 stands for unlimited.')),
    cfg.IntOpt('max_software_configs_per_tenant',
               default=4096,
               help=_('Maximum number of software configs any one tenant may '
                      'have active at one time. -1 stands for unlimited.')),
    cfg.IntOpt('max_software_deployments_per_tenant',
               default=4096,
               help=_('Maximum number of software deployments any one tenant '
                      'may have active at one time.'
                      '-1 stands for unlimited.')),
    cfg.IntOpt('max_snapshots_per_stack',
               default=32,
               help=_('Maximum number of snapshot any one stack may have '
                      'active at one time. -1 stands for unlimited.')),
    cfg.IntOpt('action_retry_limit',
               default=5,
               help=_('Number of times to retry to bring a '
                      'resource to a non-error state. Set to 0 to disable '
                      'retries.')),
    cfg.IntOpt('client_retry_limit',
               default=2,
               help=_('Number of times to retry when a client encounters an '
                      'expected intermittent error. Set to 0 to disable '
                      'retries.')),
    # Server host name limit to 53 characters by due to typical default
    # linux HOST_NAME_MAX of 64, minus the .novalocal appended to the name
    cfg.IntOpt('max_server_name_length',
               default=53,
               max=53,
               help=_('Maximum length of a server name to be used '
                      'in nova.')),
    cfg.IntOpt('max_interface_check_attempts',
               min=1,
               default=10,
               help=_('Number of times to check whether an interface has '
                      'been attached or detached.')),
    cfg.FloatOpt('max_nova_api_microversion',
                 help=_('Maximum nova API version for client plugin. With '
                        'this limitation, any nova feature supported with '
                        'microversion number above max_nova_api_microversion '
                        'will not be available.')),
    cfg.FloatOpt('max_ironic_api_microversion',
                 help=_('Maximum ironic API version for client plugin. With '
                        'this limitation, any ironic feature supported with '
                        'microversion number above '
                        'max_ironic_api_microversion will not be available.')),
    cfg.IntOpt('event_purge_batch_size',
               min=1,
               default=200,
               help=_("Controls how many events will be pruned whenever a "
                      "stack's events are purged. Set this "
                      "lower to keep more events at the expense of more "
                      "frequent purges.")),
    cfg.IntOpt('max_events_per_stack',
               default=1000,
               help=_('Rough number of maximum events that will be available '
                      'per stack. Actual number of events can be a bit '
                      'higher since purge checks take place randomly '
                      '200/event_purge_batch_size percent of the time. '
                      'Older events are deleted when events are purged. '
                      'Set to 0 for unlimited events per stack.')),
    cfg.IntOpt('stack_action_timeout',
               default=3600,
               help=_('Timeout in seconds for stack action (ie. create or'
                      ' update).')),
    cfg.IntOpt('error_wait_time',
               default=240,
               help=_('The amount of time in seconds after an error has'
                      ' occurred that tasks may continue to run before'
                      ' being cancelled.')),
    cfg.IntOpt('engine_life_check_timeout',
               default=2,
               help=_('RPC timeout for the engine liveness check that is used'
                      ' for stack locking.')),
    cfg.BoolOpt('enable_stack_abandon',
                default=False,
                help=_('Enable the preview Stack Abandon feature.')),
    cfg.BoolOpt('enable_stack_adopt',
                default=False,
                help=_('Enable the preview Stack Adopt feature.')),
    cfg.BoolOpt('convergence_engine',
                default=True,
                help=_('Enables engine with convergence architecture. All '
                       'stacks with this option will be created using '
                       'convergence engine.')),
    cfg.BoolOpt('observe_on_update',
                default=False,
                help=_('On update, enables heat to collect existing resource '
                       'properties from reality and converge to '
                       'updated template.')),
    cfg.StrOpt('default_software_config_transport',
               choices=['POLL_SERVER_CFN',
                        'POLL_SERVER_HEAT',
                        'POLL_TEMP_URL',
                        'ZAQAR_MESSAGE'],
               default='POLL_SERVER_CFN',
               help=_('Template default for how the server should receive the '
                      'metadata required for software configuration. '
                      'POLL_SERVER_CFN will allow calls to the cfn API action '
                      'DescribeStackResource authenticated with the provided '
                      'keypair (requires enabled heat-api-cfn). '
                      'POLL_SERVER_HEAT will allow calls to the '
                      'Heat API resource-show using the provided keystone '
                      'credentials (requires keystone v3 API, and configured '
                      'stack_user_* config options). '
                      'POLL_TEMP_URL will create and populate a '
                      'Swift TempURL with metadata for polling (requires '
                      'object-store endpoint which supports TempURL).'
                      'ZAQAR_MESSAGE will create a dedicated zaqar queue and '
                      'post the metadata for polling.')),
    cfg.StrOpt('default_deployment_signal_transport',
               choices=['CFN_SIGNAL',
                        'TEMP_URL_SIGNAL',
                        'HEAT_SIGNAL',
                        'ZAQAR_SIGNAL'],
               default='CFN_SIGNAL',
               help=_('Template default for how the server should signal to '
                      'heat with the deployment output values. CFN_SIGNAL '
                      'will allow an HTTP POST to a CFN keypair signed URL '
                      '(requires enabled heat-api-cfn). '
                      'TEMP_URL_SIGNAL will create a Swift TempURL to be '
                      'signaled via HTTP PUT (requires object-store endpoint '
                      'which supports TempURL). '
                      'HEAT_SIGNAL will allow calls to the Heat API '
                      'resource-signal using the provided keystone '
                      'credentials. ZAQAR_SIGNAL will create a dedicated '
                      'zaqar queue to be signaled using the provided keystone '
                      'credentials.')),
    cfg.StrOpt('default_user_data_format',
               choices=['HEAT_CFNTOOLS',
                        'RAW',
                        'SOFTWARE_CONFIG'],
               default='HEAT_CFNTOOLS',
               help=_('Template default for how the user_data should be '
                      'formatted for the server. For HEAT_CFNTOOLS, the '
                      'user_data is bundled as part of the heat-cfntools '
                      'cloud-init boot configuration data. For RAW the '
                      'user_data is passed to Nova unmodified. For '
                      'SOFTWARE_CONFIG user_data is bundled as part of the '
                      'software config data, and metadata is derived from any '
                      'associated SoftwareDeployment resources.')),
    cfg.ListOpt('hidden_stack_tags',
                default=[],
                help=_('Stacks containing these tag names will be hidden. '
                       'Multiple tags should be given in a comma-delimited '
                       'list (eg. hidden_stack_tags=hide_me,me_too).')),
    cfg.BoolOpt('stack_scheduler_hints',
                default=False,
                help=_('When this feature is enabled, scheduler hints'
                       ' identifying the heat stack context of a server'
                       ' or volume resource are passed to the configured'
                       ' schedulers in nova and cinder, for creates done'
                       ' using heat resource types OS::Cinder::Volume,'
                       ' OS::Nova::Server, and AWS::EC2::Instance.'
                       ' heat_root_stack_id will be set to the id of the'
                       ' root stack of the resource, heat_stack_id will be'
                       ' set to the id of the resource\'s parent stack,'
                       ' heat_stack_name will be set to the name of the'
                       ' resource\'s parent stack, heat_path_in_stack will'
                       ' be set to a list of comma delimited strings of'
                       ' stackresourcename and stackname with list[0] being'
                       ' \'rootstackname\', heat_resource_name will be set to'
                       ' the resource\'s name, and heat_resource_uuid will be'
                       ' set to the resource\'s orchestration id.')),
    cfg.BoolOpt('encrypt_parameters_and_properties',
                default=False,
                help=_('Encrypt template parameters that were marked as'
                       ' hidden and also all the resource properties before'
                       ' storing them in database.')),
    cfg.FloatOpt('metadata_put_timeout',
                 default=60,
                 min=0,
                 help=_('Timeout in seconds for metadata update for '
                        'software deployment'))
    ]

rpc_opts = [
    cfg.StrOpt('host',
               default=socket.gethostname(),
               sample_default='<Hostname>',
               help=_('Name of the engine node. '
                      'This can be an opaque identifier. '
                      'It is not necessarily a hostname, FQDN, '
                      'or IP address.'))]

auth_password_group = cfg.OptGroup('auth_password')
auth_password_opts = [
    cfg.BoolOpt('multi_cloud',
                default=False,
                help=_('Allow orchestration of multiple clouds.')),
    cfg.ListOpt('allowed_auth_uris',
                default=[],
                help=_('Allowed keystone endpoints for auth_uri when '
                       'multi_cloud is enabled. At least one endpoint needs '
                       'to be specified.'))]

# these options define baseline defaults that apply to all clients
default_clients_opts = [
    cfg.StrOpt('endpoint_type',
               default='publicURL',
               help=_(
                   'Type of endpoint in Identity service catalog to use '
                   'for communication with the OpenStack service.')),
    cfg.StrOpt('ca_file',
               help=_('Optional CA cert file to use in SSL connections.')),
    cfg.StrOpt('cert_file',
               help=_('Optional PEM-formatted certificate chain file.')),
    cfg.StrOpt('key_file',
               help=_('Optional PEM-formatted file that contains the '
                      'private key.')),
    cfg.BoolOpt('insecure',
                default=False,
                help=_("If set, then the server's certificate will not "
                       "be verified."))]

# these options can be defined for each client
# they must not specify defaults, since any options not defined in a client
# specific group is looked up on the generic group above
clients_opts = [
    cfg.StrOpt('endpoint_type',
               help=_(
                   'Type of endpoint in Identity service catalog to use '
                   'for communication with the OpenStack service.')),
    cfg.StrOpt('ca_file',
               help=_('Optional CA cert file to use in SSL connections.')),
    cfg.StrOpt('cert_file',
               help=_('Optional PEM-formatted certificate chain file.')),
    cfg.StrOpt('key_file',
               help=_('Optional PEM-formatted file that contains the '
                      'private key.')),
    cfg.BoolOpt('insecure',
                help=_("If set, then the server's certificate will not "
                       "be verified."))]

heat_client_opts = [
    cfg.StrOpt('url',
               default='',
               help=_('Optional heat url in format like'
                      ' http://0.0.0.0:8004/v1/%(tenant_id)s.'))]

keystone_client_opts = [
    cfg.StrOpt('auth_uri',
               default='',
               help=_('Unversioned keystone url in format like'
                      ' http://0.0.0.0:5000.'))]

client_http_log_debug_opts = [
    cfg.BoolOpt('http_log_debug',
                default=False,
                help=_("Allow client's debug log output."))]

revision_group = cfg.OptGroup('revision')
revision_opts = [
    cfg.StrOpt('heat_revision',
               default='unknown',
               help=_('Heat build revision. '
                      'If you would prefer to manage your build revision '
                      'separately, you can move this section to a different '
                      'file and add it as another config option.'))]

volumes_group = cfg.OptGroup('volumes')
volumes_opts = [
    cfg.BoolOpt('backups_enabled',
                default=True,
                help=_("Indicate if cinder-backup service is enabled. "
                       "This is a temporary workaround until cinder-backup "
                       "service becomes discoverable, see LP#1334856."))]

noauth_group = cfg.OptGroup('noauth')
noauth_opts = [
    cfg.StrOpt('token_response',
               default='',
               help=_("JSON file containing the content returned by the "
                      "noauth middleware."))]


[docs] def startup_sanity_check(): if (not cfg.CONF.stack_user_domain_id and not cfg.CONF.stack_user_domain_name): # FIXME(shardy): Legacy fallback for folks using old heat.conf # files which lack domain configuration LOG.warning('stack_user_domain_id or stack_user_domain_name not ' 'set in heat.conf falling back to using default') else: domain_admin_user = cfg.CONF.stack_domain_admin domain_admin_password = cfg.CONF.stack_domain_admin_password if not (domain_admin_user and domain_admin_password): raise exception.Error(_('heat.conf misconfigured, cannot ' 'specify "stack_user_domain_id" or ' '"stack_user_domain_name" without ' '"stack_domain_admin" and ' '"stack_domain_admin_password"')) auth_key_len = len(cfg.CONF.auth_encryption_key) if auth_key_len in (16, 24): LOG.warning( 'Please update auth_encryption_key to be 32 characters.') elif auth_key_len != 32: raise exception.Error(_('heat.conf misconfigured, auth_encryption_key ' 'must be 32 characters'))
[docs] def list_opts(): yield None, rpc_opts yield None, engine_opts yield None, service_opts yield paste_deploy_group.name, paste_deploy_opts yield auth_password_group.name, auth_password_opts yield revision_group.name, revision_opts yield volumes_group.name, volumes_opts yield noauth_group.name, noauth_opts yield profiler.list_opts()[0] yield 'clients', default_clients_opts for client in ('aodh', 'barbican', 'cinder', 'designate', 'glance', 'heat', 'keystone', 'magnum', 'manila', 'mistral', 'monasca', 'neutron', 'nova', 'octavia', 'swift', 'trove', 'vitrage', 'zaqar' ): client_specific_group = 'clients_' + client yield client_specific_group, clients_opts yield 'clients_heat', heat_client_opts yield 'clients_keystone', keystone_client_opts yield 'clients_nova', client_http_log_debug_opts yield 'clients_cinder', client_http_log_debug_opts yield oslo_db_ops.list_opts()[0]
cfg.CONF.register_group(paste_deploy_group) cfg.CONF.register_group(auth_password_group) cfg.CONF.register_group(revision_group) profiler.set_defaults(cfg.CONF) for group, opts in list_opts(): cfg.CONF.register_opts(opts, group=group) def _get_deployment_flavor(): """Retrieves the paste_deploy.flavor config item. Item formatted appropriately for appending to the application name. """ flavor = cfg.CONF.paste_deploy.flavor return '' if not flavor else ('-' + flavor) def _get_deployment_config_file(): """Retrieves the deployment_config_file config item. Item formatted as an absolute pathname. """ config_path = cfg.CONF.find_file( cfg.CONF.paste_deploy['api_paste_config']) if config_path is None: return None return os.path.abspath(config_path)
[docs] def load_paste_app(app_name=None): """Builds and returns a WSGI app from a paste config file. We assume the last config file specified in the supplied ConfigOpts object is the paste config file. :param app_name: name of the application to load :raises RuntimeError: when config file cannot be located or application cannot be loaded from config file """ if app_name is None: app_name = cfg.CONF.prog # append the deployment flavor to the application name, # in order to identify the appropriate paste pipeline app_name += _get_deployment_flavor() conf_file = _get_deployment_config_file() if conf_file is None: raise RuntimeError(_("Unable to locate config file [%s]") % cfg.CONF.paste_deploy['api_paste_config']) try: app = wsgi.paste_deploy_app(conf_file, app_name, cfg.CONF) # Log the options used when starting if we're in debug mode... if cfg.CONF.debug: cfg.CONF.log_opt_values(logging.getLogger(app_name), logging.DEBUG) return app except (LookupError, ImportError) as e: raise RuntimeError(_("Unable to load %(app_name)s from " "configuration file %(conf_file)s." "\nGot: %(e)r") % {'app_name': app_name, 'conf_file': conf_file, 'e': e})
[docs] def get_client_option(client, option): # look for the option in the [clients_${client}] section # unknown options raise cfg.NoSuchOptError try: group_name = 'clients_' + client cfg.CONF.import_opt(option, 'heat.common.config', group=group_name) v = getattr(getattr(cfg.CONF, group_name), option) if v is not None: return v except cfg.NoSuchGroupError: pass # do not error if the client is unknown # look for the option in the generic [clients] section cfg.CONF.import_opt(option, 'heat.common.config', group='clients') return getattr(cfg.CONF.clients, option)
[docs] def get_ssl_options(client): # Look for the ssl options in the [clients_${client}] section cacert = get_client_option(client, 'ca_file') insecure = get_client_option(client, 'insecure') cert = get_client_option(client, 'cert_file') key = get_client_option(client, 'key_file') if insecure: verify = False else: verify = cacert or True if cert and key: cert = (cert, key) return {'verify': verify, 'cert': cert}
[docs] def set_config_defaults(): """This method updates all configuration default values.""" cors.set_defaults( allow_headers=['X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID'], expose_headers=['X-Auth-Token', 'X-Subject-Token', 'X-Service-Token', 'X-OpenStack-Request-ID'], allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'] ) # TODO(gmann): Remove setting the default value of config policy_file # once oslo_policy change the default value to 'policy.yaml'. # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 policy_opts.set_defaults(cfg.CONF, 'policy.yaml')