summaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-07-31 15:26:54 +0000
committerGerrit Code Review <review@openstack.org>2017-07-31 15:26:54 +0000
commit865c65b8f43a909c94b1b50712b5baf088af9566 (patch)
tree29c0636fe411f4aecbec4fef81427e98a2533fe8 /docker
parent04d797c09e3ae3fbc0025dfc4dec30b2b44d4620 (diff)
parent4645d9ce833197c42a563773cbf026d8853a4426 (diff)
Merge "Fix creation of iptables rules for non-HA containerized HAproxy"
Diffstat (limited to 'docker')
-rw-r--r--docker/services/haproxy.yaml40
1 files changed, 38 insertions, 2 deletions
diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index f080dcb2..2f0584ea 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -85,6 +85,7 @@ outputs:
map_merge:
- get_attr: [HAProxyBase, role_data, config_settings]
- tripleo::haproxy::haproxy_daemon: false
+ tripleo::haproxy::haproxy_service_manage: false
step_config: &step_config
get_attr: [HAProxyBase, role_data, step_config]
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@@ -92,7 +93,8 @@ outputs:
puppet_config:
config_volume: haproxy
puppet_tags: haproxy_config
- step_config: *step_config
+ step_config:
+ "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
config_image: {get_param: DockerHAProxyConfigImage}
volumes: &deployed_cert_mount
- list_join:
@@ -110,10 +112,44 @@ outputs:
preserve_properties: true
docker_config:
step_1:
+ haproxy_firewall:
+ detach: false
+ image: {get_param: DockerHAProxyImage}
+ net: host
+ user: root
+ privileged: true
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ list_join:
+ - '; '
+ - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
+ - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
+ params:
+ TAGS: 'tripleo::firewall::rule'
+ CONFIG: *step_config
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ - *deployed_cert_mount
+ -
+ - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+ # puppet saves iptables rules in /etc/sysconfig
+ - /etc/sysconfig:/etc/sysconfig:rw
+ # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
+ # the necessary bit and prevent systemd to try to reload the service in the container
+ - /usr/libexec/iptables:/usr/libexec/iptables:ro
+ - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
+ - /etc/puppet:/tmp/puppet-etc:ro
+ - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
haproxy:
image: {get_param: DockerHAProxyImage}
net: host
- privileged: false
restart: always
volumes:
list_concat: