{"heat_template_version": "wallaby", "description": "OpenStack containerized Rabbitmq service\n", "parameters": {"ContainerRabbitmqImage": {"description": "image", "type": "string", "tags": ["role_specific"]}, "ContainerRabbitmqConfigImage": {"description": "The container image to use for the rabbitmq config_volume", "type": "string", "tags": ["role_specific"]}, "EndpointMap": {"default": {}, "description": "Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.", "type": "json"}, "ServiceData": {"default": {}, "description": "Dictionary packing service data", "type": "json"}, "ServiceNetMap": {"default": {}, "description": "Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults.", "type": "json"}, "RoleName": {"default": "", "description": "Role name on which the service is applied", "type": "string"}, "RoleParameters": {"default": {}, "description": "Parameters specific to the role", "type": "json"}, "RabbitCookie": {"type": "string", "default": "", "hidden": true}, "EnableInternalTLS": {"type": "boolean", "default": false}, "RabbitUserName": {"default": "guest", "description": "The username for RabbitMQ", "type": "string"}, "RabbitPassword": {"description": "The password for RabbitMQ", "type": "string", "hidden": true}, "RabbitFDLimit": {"default": 65536, "description": "Configures RabbitMQ FD limit", "type": "number"}, "RabbitTCPBacklog": {"default": 4096, "description": "Configures RabbitMQ maximum TCP Backlog", "type": "number"}, "RabbitIPv6": {"default": false, "description": "Enable IPv6 in RabbitMQ", "type": "boolean"}, "RabbitHAQueues": {"description": "The number of HA queues to be configured in rabbit. The default is -1 which translates to \"ha-mode all\". The special value 0 will be automatically overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.", "default": 0, "type": "number"}, "RabbitNetTickTime": {"description": "The number of seconds to configure the value of the erlang net_ticktime kernel variable.", "default": 15, "type": "number"}, "RabbitFIPS": {"type": "boolean", "default": false, "description": "Configures RabbitMQ to run in FIPS mode"}, "RabbitAdditionalErlArgs": {"description": "Additional parameters passed to the Erlang subsystem. The string needs to be enclosed in quotes twice. We default to '+sbwt none +sbwtdcpu none +sbwtdio none' in order to have the erlang vm be less busy on spinlocks, but we allow a simple way of overriding it.", "default": "'+sbwt none +sbwtdcpu none +sbwtdio none'", "type": "string"}, "MonitoringSubscriptionRabbitmq": {"default": "overcloud-rabbitmq", "type": "string"}, "DeployIdentifier": {"default": "", "type": "string", "description": "Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update.\n"}, "CertificateKeySize": {"type": "string", "default": "2048", "description": "Specifies the private key size used when creating the certificate."}, "RabbitmqCertificateKeySize": {"type": "string", "default": "", "description": "Override the private key size used when creating the certificate for this service"}, "InternalTLSCAFile": {"default": "/etc/ipa/ca.crt", "type": "string", "description": "Specifies the default CA cert to use if TLS is used for services in the internal network."}, "RabbitmqEnableManagementAccess": {"type": "boolean", "default": false, "description": "Allow access to RabbitMQ management plugin over network"}}, "parameter_groups": [{"label": "deprecated", "description": "The following parameters are deprecated and will be removed. They should not\nbe relied on for new deployments. If you have concerns regarding deprecated\nparameters, please contact the TripleO development team on IRC or the\nOpenStack mailing list.\n", "parameters": ["RabbitIPv6"]}], "conditions": {"internal_tls_enabled": {"equals": [{"get_param": "EnableInternalTLS"}, true]}, "is_ipv6": {"equals": [{"get_param": ["ServiceData", "net_ip_version_map", {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}]}, 6]}, "key_size_override_unset": {"equals": [{"get_param": "RabbitmqCertificateKeySize"}, ""]}, "rabbitmq_cacert_set": {"not": {"equals": [{"get_param": "InternalTLSCAFile"}, ""]}}}, "resources": {"ContainersCommon": {"type": "file:///usr/share/openstack-tripleo-heat-templates/deployment/containers-common.yaml"}, "RoleParametersValue": {"type": "OS::Heat::Value", "properties": {"type": "json", "value": {"map_replace": [{"map_replace": [{"ContainerRabbitmqImage": "ContainerRabbitmqImage", "ContainerRabbitmqConfigImage": "ContainerRabbitmqConfigImage"}, {"values": {"get_param": ["RoleParameters"]}}]}, {"values": {"ContainerRabbitmqImage": {"get_param": "ContainerRabbitmqImage"}, "ContainerRabbitmqConfigImage": {"get_param": "ContainerRabbitmqConfigImage"}}}]}}}}, "outputs": {"role_data": {"description": "Role data for the Rabbitmq API role.", "value": {"service_name": "rabbitmq", "firewall_rules": {"109 rabbitmq": {"dport": {"list_concat": [[4369, 5672, 25672, "25673-25683"], {"if": [{"get_param": "RabbitmqEnableManagementAccess"}, [15672]]}]}}}, "monitoring_subscription": {"get_param": "MonitoringSubscriptionRabbitmq"}, "config_settings": {"map_merge": [{"rabbitmq::file_limit": {"get_param": "RabbitFDLimit"}, "rabbitmq::default_user": {"get_param": "RabbitUserName"}, "rabbitmq::default_pass": {"get_param": "RabbitPassword"}, "rabbit_ipv6": {"if": ["is_ipv6", true, false]}, "rabbitmq::delete_guest_user": false, "rabbitmq::wipe_db_on_cookie_change": true, "rabbitmq::port": 5672, "rabbitmq::loopback_users": [], "rabbitmq::tcp_backlog": {"get_param": "RabbitTCPBacklog"}, "rabbitmq::repos_ensure": false, "rabbitmq::tcp_keepalive": true, "rabbitmq_environment": {"LANG": "en_US.UTF-8", "LC_ALL": "en_US.UTF-8", "NODE_PORT": "", "NODE_IP_ADDRESS": "", "RABBITMQ_NODENAME": {"str_replace": {"template": "rabbit@%{hiera('fqdn_$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}}}}, "RABBITMQ_USE_LONGNAME": "true", "RABBITMQ_CTL_DIST_PORT_MIN": "25673", "RABBITMQ_CTL_DIST_PORT_MAX": "25683", "export ERL_EPMD_ADDRESS": "%{hiera('rabbitmq::interface')}"}, "tripleo::profile::base::rabbitmq::additional_erl_args": {"get_param": "RabbitAdditionalErlArgs"}, "rabbitmq_kernel_variables": {"inet_dist_listen_min": "25672", "inet_dist_listen_max": "25672", "net_ticktime": {"get_param": "RabbitNetTickTime"}}, "rabbitmq_config_variables": {"cluster_partition_handling": "ignore", "queue_master_locator": "<<\"min-masters\">>"}, "rabbitmq::config_additional_variables": {"lager": "[{crash_log_count, 0}, { crash_log_date, \"\"}, { crash_log_size, 0 }]"}, "rabbitmq::erlang_cookie": {"get_param": "RabbitCookie"}, "rabbitmq::interface": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}}}}, "rabbitmq::nr_ha_queues": {"get_param": "RabbitHAQueues"}, "rabbitmq::ssl": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_erl_dist": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_port": 5672, "rabbitmq::ssl_depth": 1, "rabbitmq::ssl_only": {"get_param": "EnableInternalTLS"}, "rabbitmq::ssl_interface": {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}}}}, "tripleo::profile::base::rabbitmq::enable_internal_tls": {"get_param": "EnableInternalTLS"}, "tripleo::profile::base::rabbitmq::fips_mode": {"get_param": "RabbitFIPS"}, "rabbitmq::collect_statistics_interval": 30000}, {"if": ["internal_tls_enabled", {"tripleo::rabbitmq::service_certificate": "/etc/pki/tls/certs/rabbitmq.crt", "tripleo::profile::base::rabbitmq::certificate_specs": {"service_certificate": "/etc/pki/tls/certs/rabbitmq.crt", "service_key": "/etc/pki/tls/private/rabbitmq.key"}, "rabbitmq::ssl_versions": {"if": [{"get_param": "RabbitFIPS"}, ["tlsv1.2", "tlsv1.3"], ["tlsv1.2"]]}}, {}]}, {"rabbitmq::admin_enable": false, "rabbitmq::management_enable": true, "rabbitmq::use_config_file_for_plugins": true, "rabbitmq::management_ip_address": {"if": [{"get_param": "RabbitmqEnableManagementAccess"}, {"str_replace": {"template": "%{hiera('$NETWORK')}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqManagementNetwork"]}}}}, "127.0.0.1"]}, "rabbitmq::management_port": 15672, "rabbitmq::config_management_variables": {"rates_mode": "none"}}, {"if": ["rabbitmq_cacert_set", {"rabbitmq::ssl_cacert": {"get_param": "InternalTLSCAFile"}, "rabbitmq::ssl_management_cacert": {"get_param": "InternalTLSCAFile"}}]}, {"if": ["internal_tls_enabled", {"tripleo::certmonger::rabbitmq::postsave_cmd": "true"}, {}]}]}, "puppet_config": {"config_volume": "rabbitmq", "step_config": {"list_join": ["\n", ["['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }", "include tripleo::profile::base::rabbitmq"]]}, "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqConfigImage"]}}, "kolla_config": {"/var/lib/kolla/config_files/rabbitmq.json": {"command": "/usr/lib/rabbitmq/bin/rabbitmq-server", "config_files": [{"source": "/var/lib/kolla/config_files/src/*", "dest": "/", "merge": true, "preserve_properties": true}, {"source": "/var/lib/kolla/config_files/src-tls/*", "dest": "/", "merge": true, "preserve_properties": true, "optional": true}], "permissions": [{"path": "/var/lib/rabbitmq", "owner": "rabbitmq:rabbitmq", "recurse": true}, {"path": "/etc/pki/tls/certs/rabbitmq.crt", "owner": "rabbitmq:rabbitmq", "optional": true}, {"path": "/etc/pki/tls/private/rabbitmq.key", "owner": "rabbitmq:rabbitmq", "optional": true}]}}, "docker_config": {"step_1": {"rabbitmq_init_logs": {"start_order": 0, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "none", "privileged": false, "user": "root", "volumes": ["/var/log/containers/rabbitmq:/var/log/rabbitmq"], "command": ["/bin/bash", "-c", "chown -R rabbitmq:rabbitmq /var/log/rabbitmq"]}, "rabbitmq_bootstrap": {"start_order": 1, "detach": false, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "host", "privileged": false, "user": "root", "command": ["bash", "-ec", {"list_join": ["\n", ["kolla_set_configs", "if [[ -e \"/var/lib/rabbitmq/.erlang.cookie\" ]]; then rm -f /var/lib/rabbitmq/.erlang.cookie; fi", "hiera 'rabbitmq::erlang_cookie' > /var/lib/rabbitmq/.erlang.cookie", "chown rabbitmq:rabbitmq /var/lib/rabbitmq/.erlang.cookie", "chmod 400 /var/lib/rabbitmq/.erlang.cookie"]]}], "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro", "/etc/puppet:/etc/puppet:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq", "/var/log/containers/rabbitmq:/var/log/rabbitmq"], {"if": ["internal_tls_enabled", ["/etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro", "/etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro"], null]}]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS", "TRIPLEO_DEPLOY_IDENTIFIER": {"get_param": "DeployIdentifier"}}}, "rabbitmq": {"start_order": 2, "image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqImage"]}, "net": "host", "privileged": false, "restart": "always", "healthcheck": {"test": "/openstack/healthcheck"}, "volumes": {"list_concat": [{"get_attr": ["ContainersCommon", "volumes"]}, ["/var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro", "/var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq:z", "/var/log/containers/rabbitmq:/var/log/rabbitmq:z"], {"if": ["internal_tls_enabled", ["/etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro", "/etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro"], null]}]}, "environment": {"KOLLA_CONFIG_STRATEGY": "COPY_ALWAYS"}}}}, "container_puppet_tasks": {"step_2": {"config_volume": "rabbit_init_tasks", "puppet_tags": "rabbitmq_policy,rabbitmq_user", "step_config": "include tripleo::profile::base::rabbitmq", "config_image": {"get_attr": ["RoleParametersValue", "value", "ContainerRabbitmqConfigImage"]}, "volumes": ["/var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq:/etc/rabbitmq:ro", "/var/lib/rabbitmq:/var/lib/rabbitmq"]}}, "metadata_settings": {"if": ["internal_tls_enabled", [{"service": "rabbitmq", "network": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}, "type": "node"}], null]}, "deploy_steps_tasks": [{"name": "Certificate generation", "when": ["step|int == 1", "enable_internal_tls"], "block": [{"include_role": {"name": "linux-system-roles.certificate"}, "vars": {"certificate_requests": [{"name": "rabbitmq", "dns": {"str_replace": {"template": "{{fqdn_$NETWORK}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}}}}, "principal": {"str_replace": {"template": "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}", "params": {"$NETWORK": {"get_param": ["ServiceNetMap", "RabbitmqNetwork"]}}}}, "run_after": "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')\nservice_crt=\"/etc/pki/tls/certs/rabbitmq.crt\"\nservice_key=\"/etc/pki/tls/private/rabbitmq.key\"\nif echo \"$container_name\" | grep -q \"^rabbitmq-bundle\"; then\n  # lp#1917868: Do not use podman cp with HA containers as they get\n  # frozen temporarily and that can make pacemaker operation fail.\n  tar -c \"$service_crt\" \"$service_key\" | {{container_cli}} exec -i \"$container_name\" tar -C / -xv\n  # no need to update the mount point, because pacemaker\n  # recreates the container when it's restarted\nelse\n  # Refresh the cert at the mount-point\n  {{container_cli}} cp $service_crt \"$container_name:/var/lib/kolla/config_files/src-tls/$service_crt\"\n  # Refresh the key at the mount-point\n  {{container_cli}} cp $service_key \"$container_name:/var/lib/kolla/config_files/src-tls/$service_key\"\n  # Copy the new cert from the mount-point to the real path\n  {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\" \"$service_crt\"\n  # Copy the new key from the mount-point to the real path\n  {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\" \"$service_key\"\nfi\n# Set appropriate permissions\n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_crt\"\n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_key\"\n# Trigger a pem cache clear in RabbitMQ to read the new certificates\n{{container_cli}} exec \"$container_name\" rabbitmqctl eval \"ssl:clear_pem_cache().\"\n", "key_size": {"if": ["key_size_override_unset", {"get_param": "CertificateKeySize"}, {"get_param": "RabbitmqCertificateKeySize"}]}, "ca": "ipa"}]}}]}], "host_prep_tasks": [{"name": "creat fcontext entry for rabbitmq data", "community.general.sefcontext": {"target": "/var/lib/rabbitmq(/.*)?", "setype": "container_file_t", "state": "present"}}, {"name": "create persistent directories", "file": {"path": "{{ item.path }}", "state": "directory", "setype": "{{ item.setype }}", "mode": "{{ item.mode|default(omit) }}"}, "with_items": [{"path": "/var/log/containers/rabbitmq", "setype": "container_file_t", "mode": "0750"}, {"path": "/var/lib/rabbitmq", "setype": "container_file_t"}]}], "upgrade_tasks": [], "update_tasks": null}}}}