diff options
author | Damien Ciabrini <dciabrin@redhat.com> | 2017-06-12 15:37:15 +0200 |
---|---|---|
committer | Damien Ciabrini <dciabrin@redhat.com> | 2017-06-12 15:37:15 +0200 |
commit | efb36b42d6e22327486f548209b2472ebf1fe276 (patch) | |
tree | 640ad4afe720f388615b5784d2466d9e5a57937e /docker/services | |
parent | 9a319d42b6c5092d1863e7018afee3eb42b9d6ed (diff) |
Generate HAproxy iptables rules for containerized HA deployments
The containerized HAproxy service can only specify steps to be run in
containers, i.e. it cannot runs the regular puppet steps on bare metal
at the same time. A side effect is that the dedicated HAproxy iptables
rules are no longer generated.
Update the docker_config step to fix the creation of iptables rules
for HAproxy and persist them on-disk as before.
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
Closes-Bug: 1697387
Change-Id: Ib5a083ba3299a82645f1a0f9da0d482c6b89ee23
Diffstat (limited to 'docker/services')
-rw-r--r-- | docker/services/pacemaker/haproxy.yaml | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index ae19652e..7557afd6 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -60,11 +60,7 @@ outputs: list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyImage} ] - step_config: - list_join: - - "\n" - - - &noop_pcmk "['pcmk_bundle', 'pcmk_resource', 'pcmk_property', 'pcmk_constraint', 'pcmk_resource_default'].each |String $val| { noop_resource($val) }" - - 'include ::tripleo::profile::pacemaker::haproxy_bundle' + step_config: "" service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: @@ -74,8 +70,8 @@ outputs: list_join: - "\n" - - "exec {'wait-for-settle': command => '/bin/true' }" - - &noop_firewall "class tripleo::firewall(){}; define tripleo::firewall::rule( $port = undef, $dport = undef, $sport = undef, $proto = undef, $action = undef, $state = undef, $source = undef, $iniface = undef, $chain = undef, $destination = undef, $extras = undef){}" - - *noop_pcmk + - "class tripleo::firewall(){}; define tripleo::firewall::rule( $port = undef, $dport = undef, $sport = undef, $proto = undef, $action = undef, $state = undef, $source = undef, $iniface = undef, $chain = undef, $destination = undef, $extras = undef){}" + - "['pcmk_bundle', 'pcmk_resource', 'pcmk_property', 'pcmk_constraint', 'pcmk_resource_default'].each |String $val| { noop_resource($val) }" - 'include ::tripleo::profile::pacemaker::haproxy_bundle' config_image: *haproxy_image kolla_config: @@ -88,6 +84,7 @@ outputs: detach: false net: host user: root + privileged: true command: - '/bin/bash' - '-c' @@ -98,14 +95,20 @@ outputs: - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" params: - TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + TAGS: 'tripleo::firewall::rule,pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' CONFIG: list_join: - ';' - - - *noop_firewall - - 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::haproxy_bundle' + - - 'include ::tripleo::profile::base::pacemaker' + - 'include ::tripleo::profile::pacemaker::haproxy_bundle' image: *haproxy_image volumes: + # puppet saves iptables rules in /etc/sysconfig + - /etc/sysconfig:/etc/sysconfig:rw + # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount + # the necessary bit and prevent systemd to try to reload the service in the container + - /usr/libexec/iptables:/usr/libexec/iptables:ro + - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /etc/puppet:/tmp/puppet-etc:ro |