aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/docker.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile/base/docker.pp')
-rw-r--r--manifests/profile/base/docker.pp62
1 files changed, 2 insertions, 60 deletions
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index e042947..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
# OPTIONS that are used to startup the docker service. NOTE:
# --selinux-enabled is dropped due to recommendations here:
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-# Defaults to '--log-driver=journald --signature-verification=false'
+# Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
#
# [*configure_storage*]
# Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -43,18 +43,6 @@
# [*step*]
# step defaults to hiera('step')
#
-# [*configure_libvirt_polkit*]
-# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-# Defaults to 42436
-#
-# [*services_enabled*]
-# List of TripleO services enabled on the role.
-# Defaults to hiera('services_names')
-#
# DEPRECATED PARAMETERS
#
# [*docker_namespace*]
@@ -69,24 +57,15 @@
class tripleo::profile::base::docker (
$insecure_registry_address = undef,
$registry_mirror = false,
- $docker_options = '--log-driver=journald --signature-verification=false',
+ $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
$configure_storage = true,
$storage_options = '-s overlay2',
$step = Integer(hiera('step')),
- $configure_libvirt_polkit = undef,
- $docker_nova_uid = 42436,
- $services_enabled = hiera('service_names', []),
# DEPRECATED PARAMETERS
$docker_namespace = undef,
$insecure_registry = false,
) {
- if $configure_libvirt_polkit == undef {
- $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
- } else {
- $configure_libvirt_polkit_real = $configure_libvirt_polkit
- }
-
if $step >= 1 {
package {'docker':
ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
}
}
- if ($step >= 4 and $configure_libvirt_polkit_real) {
- # Workaround for polkit authorization for libvirtd socket on host
- #
- # This creates a local user with the kolla nova uid, and sets the polkit rule to
- # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
- group { 'docker_nova_group':
- name => 'docker_nova',
- gid => $docker_nova_uid
- }
- -> user { 'docker_nova_user':
- name => 'docker_nova',
- uid => $docker_nova_uid,
- gid => $docker_nova_uid,
- shell => '/sbin/nologin',
- comment => 'OpenStack Nova Daemons',
- groups => ['nobody']
- }
-
- # Similar to the polkit rule in the openstack-nova rpm spec
- # but allow both the 'docker_nova' and 'nova' user
- $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
- if (action.id == "org.libvirt.unix.manage" &&
- /^(docker_)?nova$/.test(subject.user)) {
- return polkit.Result.YES;
- }
-});
-'
- package {'polkit':
- ensure => installed,
- }
- -> file {'/etc/polkit-1/rules.d/50-nova.rules':
- content => $docker_nova_polkit_rule,
- mode => '0644'
- }
- }
}