diff options
Diffstat (limited to 'manifests/profile/base/docker.pp')
-rw-r--r-- | manifests/profile/base/docker.pp | 62 |
1 files changed, 2 insertions, 60 deletions
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index e042947..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -43,18 +43,6 @@ # [*step*] # step defaults to hiera('step') # -# [*configure_libvirt_polkit*] -# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host. -# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled -# -# [*docker_nova_uid*] -# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container. -# Defaults to 42436 -# -# [*services_enabled*] -# List of TripleO services enabled on the role. -# Defaults to hiera('services_names') -# # DEPRECATED PARAMETERS # # [*docker_namespace*] @@ -69,24 +57,15 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), - $configure_libvirt_polkit = undef, - $docker_nova_uid = 42436, - $services_enabled = hiera('service_names', []), # DEPRECATED PARAMETERS $docker_namespace = undef, $insecure_registry = false, ) { - if $configure_libvirt_polkit == undef { - $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled - } else { - $configure_libvirt_polkit_real = $configure_libvirt_polkit - } - if $step >= 1 { package {'docker': ensure => installed, @@ -176,41 +155,4 @@ class tripleo::profile::base::docker ( } } - if ($step >= 4 and $configure_libvirt_polkit_real) { - # Workaround for polkit authorization for libvirtd socket on host - # - # This creates a local user with the kolla nova uid, and sets the polkit rule to - # allow both it and the nova user from the nova rpms, should it exist (uid 162). - - group { 'docker_nova_group': - name => 'docker_nova', - gid => $docker_nova_uid - } - -> user { 'docker_nova_user': - name => 'docker_nova', - uid => $docker_nova_uid, - gid => $docker_nova_uid, - shell => '/sbin/nologin', - comment => 'OpenStack Nova Daemons', - groups => ['nobody'] - } - - # Similar to the polkit rule in the openstack-nova rpm spec - # but allow both the 'docker_nova' and 'nova' user - $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions -polkit.addRule(function(action, subject) { - if (action.id == "org.libvirt.unix.manage" && - /^(docker_)?nova$/.test(subject.user)) { - return polkit.Result.YES; - } -}); -' - package {'polkit': - ensure => installed, - } - -> file {'/etc/polkit-1/rules.d/50-nova.rules': - content => $docker_nova_polkit_rule, - mode => '0644' - } - } } |