#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Routines for configuring Heat."""
import os
from eventlet.green import socket
from oslo_config import cfg
from oslo_db import options as oslo_db_ops
from oslo_log import log as logging
from oslo_middleware import cors
from oslo_policy import opts as policy_opts
from osprofiler import opts as profiler
from heat.common import exception
from heat.common.i18n import _
from heat.common import wsgi
LOG = logging.getLogger(__name__)
paste_deploy_group = cfg.OptGroup('paste_deploy')
paste_deploy_opts = [
cfg.StrOpt('flavor',
help=_("The flavor to use.")),
cfg.StrOpt('api_paste_config', default="api-paste.ini",
help=_("The API paste config file to use."))]
service_opts = [
cfg.IntOpt('periodic_interval',
default=60,
help=_('Seconds between running periodic tasks.')),
cfg.StrOpt('heat_metadata_server_url',
help=_('URL of the Heat metadata server. '
'NOTE: Setting this is only needed if you require '
'instances to use a different endpoint than in the '
'keystone catalog')),
cfg.StrOpt('heat_waitcondition_server_url',
help=_('URL of the Heat waitcondition server.')),
cfg.StrOpt('instance_connection_is_secure',
default="0",
help=_('Instance connection to CFN/CW API via https.')),
cfg.StrOpt('instance_connection_https_validate_certificates',
default="1",
help=_('Instance connection to CFN/CW API validate certs if '
'SSL is used.')),
cfg.StrOpt('region_name_for_services',
help=_('Default region name used to get services endpoints.')),
cfg.StrOpt('region_name_for_shared_services',
help=_('Region name for shared services endpoints.')),
cfg.ListOpt('shared_services_types',
default=['image', 'volume', 'volumev3'],
help=_('The shared services located in the other region.'
'Needs region_name_for_shared_services option to '
'be set for this to take effect.')),
cfg.StrOpt('heat_stack_user_role',
default="heat_stack_user",
help=_('Keystone role for heat template-defined users.')),
cfg.StrOpt('stack_user_domain_id',
deprecated_opts=[cfg.DeprecatedOpt('stack_user_domain',
group=None)],
help=_('Keystone domain ID which contains heat '
'template-defined users. If this option is set, '
'stack_user_domain_name option will be ignored.')),
cfg.StrOpt('stack_user_domain_name',
help=_('Keystone domain name which contains heat '
'template-defined users. If `stack_user_domain_id` '
'option is set, this option is ignored.')),
cfg.StrOpt('stack_domain_admin',
help=_('Keystone username, a user with roles sufficient to '
'manage users and projects in the stack_user_domain.')),
cfg.StrOpt('stack_domain_admin_password',
secret=True,
help=_('Keystone password for stack_domain_admin user.')),
cfg.IntOpt('max_template_size',
default=524288,
help=_('Maximum raw byte size of any template.')),
cfg.IntOpt('max_nested_stack_depth',
default=5,
help=_('Maximum depth allowed when using nested stacks.')),
cfg.FloatOpt('template_fetch_timeout',
default=60,
min=0,
help=_('Timeout in seconds for template download.')),
cfg.IntOpt('num_engine_workers',
help=_('Number of heat-engine processes to fork and run. '
'Will default to either to 4 or number of CPUs on '
'the host, whichever is greater.')),
cfg.StrOpt('server_keystone_endpoint_type',
choices=['', 'public', 'internal', 'admin'],
default='',
help=_('If set, is used to control which authentication '
'endpoint is used by user-controlled servers to make '
'calls back to Heat. '
'If unset www_authenticate_uri is used.'))]
engine_opts = [
cfg.ListOpt('plugin_dirs',
default=['/usr/lib64/heat', '/usr/lib/heat',
'/usr/local/lib/heat', '/usr/local/lib64/heat'],
help=_('List of directories to search for plug-ins.')),
cfg.StrOpt('environment_dir',
default='/etc/heat/environment.d',
help=_('The directory to search for environment files.')),
cfg.StrOpt('template_dir',
default='/etc/heat/templates',
help=_('The directory to search for template files.')),
cfg.StrOpt('deferred_auth_method',
choices=['password', 'trusts'],
default='trusts',
deprecated_for_removal=True,
deprecated_reason='Stored password based deferred auth is '
'broken when used with keystone v3 and '
'is not supported.',
deprecated_since='9.0.0',
help=_('Select deferred auth method, '
'stored password or trusts.')),
cfg.StrOpt('reauthentication_auth_method',
choices=['', 'trusts'],
default='',
help=_('Allow reauthentication on token expiry, such that'
' long-running tasks may complete. Note this defeats'
' the expiry of any provided user tokens.')),
cfg.BoolOpt('allow_trusts_redelegation',
default=False,
help=_('Create trusts with redelegation enabled. '
'This option is only used when '
'reauthentication_auth_method is set to "trusts". '
'Note that enabling this option does have '
'security implications as all trusts created by Heat '
'will use both impersonation and redelegation enabled. '
'Enable it only when there are other services that '
'need to create trusts from tokens Heat uses to '
'access them, examples are Aodh and Heat in another '
'region when configured to use trusts too.')),
cfg.ListOpt('trusts_delegated_roles',
default=[],
help=_('Subset of trustor roles to be delegated to heat.'
' If left unset, all roles of a user will be'
' delegated to heat when creating a stack.')),
cfg.IntOpt('max_resources_per_stack',
default=1000,
help=_('Maximum resources allowed per top-level stack. '
'-1 stands for unlimited.')),
cfg.IntOpt('max_stacks_per_tenant',
default=512,
help=_('Maximum number of stacks any one tenant may have '
'active at one time. -1 stands for unlimited.')),
cfg.IntOpt('max_software_configs_per_tenant',
default=4096,
help=_('Maximum number of software configs any one tenant may '
'have active at one time. -1 stands for unlimited.')),
cfg.IntOpt('max_software_deployments_per_tenant',
default=4096,
help=_('Maximum number of software deployments any one tenant '
'may have active at one time.'
'-1 stands for unlimited.')),
cfg.IntOpt('max_snapshots_per_stack',
default=32,
help=_('Maximum number of snapshot any one stack may have '
'active at one time. -1 stands for unlimited.')),
cfg.IntOpt('action_retry_limit',
default=5,
help=_('Number of times to retry to bring a '
'resource to a non-error state. Set to 0 to disable '
'retries.')),
cfg.IntOpt('client_retry_limit',
default=2,
help=_('Number of times to retry when a client encounters an '
'expected intermittent error. Set to 0 to disable '
'retries.')),
# Server host name limit to 53 characters by due to typical default
# linux HOST_NAME_MAX of 64, minus the .novalocal appended to the name
cfg.IntOpt('max_server_name_length',
default=53,
max=53,
help=_('Maximum length of a server name to be used '
'in nova.')),
cfg.IntOpt('max_interface_check_attempts',
min=1,
default=10,
help=_('Number of times to check whether an interface has '
'been attached or detached.')),
cfg.FloatOpt('max_nova_api_microversion',
help=_('Maximum nova API version for client plugin. With '
'this limitation, any nova feature supported with '
'microversion number above max_nova_api_microversion '
'will not be available.')),
cfg.FloatOpt('max_ironic_api_microversion',
help=_('Maximum ironic API version for client plugin. With '
'this limitation, any ironic feature supported with '
'microversion number above '
'max_ironic_api_microversion will not be available.')),
cfg.IntOpt('event_purge_batch_size',
min=1,
default=200,
help=_("Controls how many events will be pruned whenever a "
"stack's events are purged. Set this "
"lower to keep more events at the expense of more "
"frequent purges.")),
cfg.IntOpt('max_events_per_stack',
default=1000,
help=_('Rough number of maximum events that will be available '
'per stack. Actual number of events can be a bit '
'higher since purge checks take place randomly '
'200/event_purge_batch_size percent of the time. '
'Older events are deleted when events are purged. '
'Set to 0 for unlimited events per stack.')),
cfg.IntOpt('stack_action_timeout',
default=3600,
help=_('Timeout in seconds for stack action (ie. create or'
' update).')),
cfg.IntOpt('error_wait_time',
default=240,
help=_('The amount of time in seconds after an error has'
' occurred that tasks may continue to run before'
' being cancelled.')),
cfg.IntOpt('engine_life_check_timeout',
default=2,
help=_('RPC timeout for the engine liveness check that is used'
' for stack locking.')),
cfg.BoolOpt('enable_stack_abandon',
default=False,
help=_('Enable the preview Stack Abandon feature.')),
cfg.BoolOpt('enable_stack_adopt',
default=False,
help=_('Enable the preview Stack Adopt feature.')),
cfg.BoolOpt('convergence_engine',
default=True,
help=_('Enables engine with convergence architecture. All '
'stacks with this option will be created using '
'convergence engine.')),
cfg.BoolOpt('observe_on_update',
default=False,
help=_('On update, enables heat to collect existing resource '
'properties from reality and converge to '
'updated template.')),
cfg.StrOpt('default_software_config_transport',
choices=['POLL_SERVER_CFN',
'POLL_SERVER_HEAT',
'POLL_TEMP_URL',
'ZAQAR_MESSAGE'],
default='POLL_SERVER_CFN',
help=_('Template default for how the server should receive the '
'metadata required for software configuration. '
'POLL_SERVER_CFN will allow calls to the cfn API action '
'DescribeStackResource authenticated with the provided '
'keypair (requires enabled heat-api-cfn). '
'POLL_SERVER_HEAT will allow calls to the '
'Heat API resource-show using the provided keystone '
'credentials (requires keystone v3 API, and configured '
'stack_user_* config options). '
'POLL_TEMP_URL will create and populate a '
'Swift TempURL with metadata for polling (requires '
'object-store endpoint which supports TempURL).'
'ZAQAR_MESSAGE will create a dedicated zaqar queue and '
'post the metadata for polling.')),
cfg.StrOpt('default_deployment_signal_transport',
choices=['CFN_SIGNAL',
'TEMP_URL_SIGNAL',
'HEAT_SIGNAL',
'ZAQAR_SIGNAL'],
default='CFN_SIGNAL',
help=_('Template default for how the server should signal to '
'heat with the deployment output values. CFN_SIGNAL '
'will allow an HTTP POST to a CFN keypair signed URL '
'(requires enabled heat-api-cfn). '
'TEMP_URL_SIGNAL will create a Swift TempURL to be '
'signaled via HTTP PUT (requires object-store endpoint '
'which supports TempURL). '
'HEAT_SIGNAL will allow calls to the Heat API '
'resource-signal using the provided keystone '
'credentials. ZAQAR_SIGNAL will create a dedicated '
'zaqar queue to be signaled using the provided keystone '
'credentials.')),
cfg.StrOpt('default_user_data_format',
choices=['HEAT_CFNTOOLS',
'RAW',
'SOFTWARE_CONFIG'],
default='HEAT_CFNTOOLS',
help=_('Template default for how the user_data should be '
'formatted for the server. For HEAT_CFNTOOLS, the '
'user_data is bundled as part of the heat-cfntools '
'cloud-init boot configuration data. For RAW the '
'user_data is passed to Nova unmodified. For '
'SOFTWARE_CONFIG user_data is bundled as part of the '
'software config data, and metadata is derived from any '
'associated SoftwareDeployment resources.')),
cfg.ListOpt('hidden_stack_tags',
default=[],
help=_('Stacks containing these tag names will be hidden. '
'Multiple tags should be given in a comma-delimited '
'list (eg. hidden_stack_tags=hide_me,me_too).')),
cfg.BoolOpt('stack_scheduler_hints',
default=False,
help=_('When this feature is enabled, scheduler hints'
' identifying the heat stack context of a server'
' or volume resource are passed to the configured'
' schedulers in nova and cinder, for creates done'
' using heat resource types OS::Cinder::Volume,'
' OS::Nova::Server, and AWS::EC2::Instance.'
' heat_root_stack_id will be set to the id of the'
' root stack of the resource, heat_stack_id will be'
' set to the id of the resource\'s parent stack,'
' heat_stack_name will be set to the name of the'
' resource\'s parent stack, heat_path_in_stack will'
' be set to a list of comma delimited strings of'
' stackresourcename and stackname with list[0] being'
' \'rootstackname\', heat_resource_name will be set to'
' the resource\'s name, and heat_resource_uuid will be'
' set to the resource\'s orchestration id.')),
cfg.BoolOpt('encrypt_parameters_and_properties',
default=False,
help=_('Encrypt template parameters that were marked as'
' hidden and also all the resource properties before'
' storing them in database.')),
cfg.FloatOpt('metadata_put_timeout',
default=60,
min=0,
help=_('Timeout in seconds for metadata update for '
'software deployment'))
]
rpc_opts = [
cfg.StrOpt('host',
default=socket.gethostname(),
sample_default='<Hostname>',
help=_('Name of the engine node. '
'This can be an opaque identifier. '
'It is not necessarily a hostname, FQDN, '
'or IP address.'))]
auth_password_group = cfg.OptGroup('auth_password')
auth_password_opts = [
cfg.BoolOpt('multi_cloud',
default=False,
help=_('Allow orchestration of multiple clouds.')),
cfg.ListOpt('allowed_auth_uris',
default=[],
help=_('Allowed keystone endpoints for auth_uri when '
'multi_cloud is enabled. At least one endpoint needs '
'to be specified.'))]
# these options define baseline defaults that apply to all clients
default_clients_opts = [
cfg.StrOpt('endpoint_type',
default='publicURL',
help=_(
'Type of endpoint in Identity service catalog to use '
'for communication with the OpenStack service.')),
cfg.StrOpt('ca_file',
help=_('Optional CA cert file to use in SSL connections.')),
cfg.StrOpt('cert_file',
help=_('Optional PEM-formatted certificate chain file.')),
cfg.StrOpt('key_file',
help=_('Optional PEM-formatted file that contains the '
'private key.')),
cfg.BoolOpt('insecure',
default=False,
help=_("If set, then the server's certificate will not "
"be verified."))]
# these options can be defined for each client
# they must not specify defaults, since any options not defined in a client
# specific group is looked up on the generic group above
clients_opts = [
cfg.StrOpt('endpoint_type',
help=_(
'Type of endpoint in Identity service catalog to use '
'for communication with the OpenStack service.')),
cfg.StrOpt('ca_file',
help=_('Optional CA cert file to use in SSL connections.')),
cfg.StrOpt('cert_file',
help=_('Optional PEM-formatted certificate chain file.')),
cfg.StrOpt('key_file',
help=_('Optional PEM-formatted file that contains the '
'private key.')),
cfg.BoolOpt('insecure',
help=_("If set, then the server's certificate will not "
"be verified."))]
heat_client_opts = [
cfg.StrOpt('url',
default='',
help=_('Optional heat url in format like'
' http://0.0.0.0:8004/v1/%(tenant_id)s.'))]
keystone_client_opts = [
cfg.StrOpt('auth_uri',
default='',
help=_('Unversioned keystone url in format like'
' http://0.0.0.0:5000.'))]
client_http_log_debug_opts = [
cfg.BoolOpt('http_log_debug',
default=False,
help=_("Allow client's debug log output."))]
revision_group = cfg.OptGroup('revision')
revision_opts = [
cfg.StrOpt('heat_revision',
default='unknown',
help=_('Heat build revision. '
'If you would prefer to manage your build revision '
'separately, you can move this section to a different '
'file and add it as another config option.'))]
volumes_group = cfg.OptGroup('volumes')
volumes_opts = [
cfg.BoolOpt('backups_enabled',
default=True,
help=_("Indicate if cinder-backup service is enabled. "
"This is a temporary workaround until cinder-backup "
"service becomes discoverable, see LP#1334856."))]
noauth_group = cfg.OptGroup('noauth')
noauth_opts = [
cfg.StrOpt('token_response',
default='',
help=_("JSON file containing the content returned by the "
"noauth middleware."))]
[docs]
def startup_sanity_check():
if (not cfg.CONF.stack_user_domain_id and
not cfg.CONF.stack_user_domain_name):
# FIXME(shardy): Legacy fallback for folks using old heat.conf
# files which lack domain configuration
LOG.warning('stack_user_domain_id or stack_user_domain_name not '
'set in heat.conf falling back to using default')
else:
domain_admin_user = cfg.CONF.stack_domain_admin
domain_admin_password = cfg.CONF.stack_domain_admin_password
if not (domain_admin_user and domain_admin_password):
raise exception.Error(_('heat.conf misconfigured, cannot '
'specify "stack_user_domain_id" or '
'"stack_user_domain_name" without '
'"stack_domain_admin" and '
'"stack_domain_admin_password"'))
auth_key_len = len(cfg.CONF.auth_encryption_key)
if auth_key_len in (16, 24):
LOG.warning(
'Please update auth_encryption_key to be 32 characters.')
elif auth_key_len != 32:
raise exception.Error(_('heat.conf misconfigured, auth_encryption_key '
'must be 32 characters'))
[docs]
def list_opts():
yield None, rpc_opts
yield None, engine_opts
yield None, service_opts
yield paste_deploy_group.name, paste_deploy_opts
yield auth_password_group.name, auth_password_opts
yield revision_group.name, revision_opts
yield volumes_group.name, volumes_opts
yield noauth_group.name, noauth_opts
yield profiler.list_opts()[0]
yield 'clients', default_clients_opts
for client in ('aodh', 'barbican', 'cinder', 'designate',
'glance', 'heat', 'keystone', 'magnum', 'manila', 'mistral',
'monasca', 'neutron', 'nova', 'octavia',
'swift', 'trove', 'vitrage', 'zaqar'
):
client_specific_group = 'clients_' + client
yield client_specific_group, clients_opts
yield 'clients_heat', heat_client_opts
yield 'clients_keystone', keystone_client_opts
yield 'clients_nova', client_http_log_debug_opts
yield 'clients_cinder', client_http_log_debug_opts
yield oslo_db_ops.list_opts()[0]
cfg.CONF.register_group(paste_deploy_group)
cfg.CONF.register_group(auth_password_group)
cfg.CONF.register_group(revision_group)
profiler.set_defaults(cfg.CONF)
for group, opts in list_opts():
cfg.CONF.register_opts(opts, group=group)
def _get_deployment_flavor():
"""Retrieves the paste_deploy.flavor config item.
Item formatted appropriately for appending to the application name.
"""
flavor = cfg.CONF.paste_deploy.flavor
return '' if not flavor else ('-' + flavor)
def _get_deployment_config_file():
"""Retrieves the deployment_config_file config item.
Item formatted as an absolute pathname.
"""
config_path = cfg.CONF.find_file(
cfg.CONF.paste_deploy['api_paste_config'])
if config_path is None:
return None
return os.path.abspath(config_path)
[docs]
def load_paste_app(app_name=None):
"""Builds and returns a WSGI app from a paste config file.
We assume the last config file specified in the supplied ConfigOpts
object is the paste config file.
:param app_name: name of the application to load
:raises RuntimeError: when config file cannot be located or application
cannot be loaded from config file
"""
if app_name is None:
app_name = cfg.CONF.prog
# append the deployment flavor to the application name,
# in order to identify the appropriate paste pipeline
app_name += _get_deployment_flavor()
conf_file = _get_deployment_config_file()
if conf_file is None:
raise RuntimeError(_("Unable to locate config file [%s]") %
cfg.CONF.paste_deploy['api_paste_config'])
try:
app = wsgi.paste_deploy_app(conf_file, app_name, cfg.CONF)
# Log the options used when starting if we're in debug mode...
if cfg.CONF.debug:
cfg.CONF.log_opt_values(logging.getLogger(app_name),
logging.DEBUG)
return app
except (LookupError, ImportError) as e:
raise RuntimeError(_("Unable to load %(app_name)s from "
"configuration file %(conf_file)s."
"\nGot: %(e)r") % {'app_name': app_name,
'conf_file': conf_file,
'e': e})
[docs]
def get_client_option(client, option):
# look for the option in the [clients_${client}] section
# unknown options raise cfg.NoSuchOptError
try:
group_name = 'clients_' + client
cfg.CONF.import_opt(option, 'heat.common.config',
group=group_name)
v = getattr(getattr(cfg.CONF, group_name), option)
if v is not None:
return v
except cfg.NoSuchGroupError:
pass # do not error if the client is unknown
# look for the option in the generic [clients] section
cfg.CONF.import_opt(option, 'heat.common.config', group='clients')
return getattr(cfg.CONF.clients, option)
[docs]
def get_ssl_options(client):
# Look for the ssl options in the [clients_${client}] section
cacert = get_client_option(client, 'ca_file')
insecure = get_client_option(client, 'insecure')
cert = get_client_option(client, 'cert_file')
key = get_client_option(client, 'key_file')
if insecure:
verify = False
else:
verify = cacert or True
if cert and key:
cert = (cert, key)
return {'verify': verify, 'cert': cert}
[docs]
def set_config_defaults():
"""This method updates all configuration default values."""
cors.set_defaults(
allow_headers=['X-Auth-Token',
'X-Identity-Status',
'X-Roles',
'X-Service-Catalog',
'X-User-Id',
'X-Tenant-Id',
'X-OpenStack-Request-ID'],
expose_headers=['X-Auth-Token',
'X-Subject-Token',
'X-Service-Token',
'X-OpenStack-Request-ID'],
allow_methods=['GET',
'PUT',
'POST',
'DELETE',
'PATCH']
)
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
policy_opts.set_defaults(cfg.CONF, 'policy.yaml')