diff options
-rwxr-xr-x | docker/docker-puppet.py | 43 | ||||
-rw-r--r-- | docker/services/swift-proxy.yaml | 66 | ||||
-rw-r--r-- | environments/docker-services-tls-everywhere.yaml | 3 | ||||
-rw-r--r-- | environments/services-docker/undercloud-aodh.yaml | 8 | ||||
-rw-r--r-- | environments/services-docker/undercloud-gnocchi.yaml | 6 | ||||
-rw-r--r-- | environments/services-docker/undercloud-panko.yaml | 2 | ||||
-rw-r--r-- | puppet/services/keystone.yaml | 1 |
7 files changed, 81 insertions, 48 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 111005ac..f1594d2d 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -152,8 +152,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume log.debug('manifest %s' % manifest) log.debug('config_image %s' % config_image) log.debug('volumes %s' % volumes) - hostname = short_hostname() - sh_script = '/var/lib/docker-puppet/docker-puppet-%s.sh' % config_volume + sh_script = '/var/lib/docker-puppet/docker-puppet.sh' with open(sh_script, 'w') as script_file: os.chmod(script_file.name, 0755) @@ -162,43 +161,40 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume mkdir -p /etc/puppet cp -a /tmp/puppet-etc/* /etc/puppet rm -Rf /etc/puppet/ssl # not in use and causes permission errors - echo '{"step": %(step)s}' > /etc/puppet/hieradata/docker.json + echo "{\\"step\\": $STEP}" > /etc/puppet/hieradata/docker.json TAGS="" - if [ -n "%(puppet_tags)s" ]; then - TAGS='--tags "%(puppet_tags)s"' + if [ -n "$PUPPET_TAGS" ]; then + TAGS="--tags \"$PUPPET_TAGS\"" fi - FACTER_hostname=%(hostname)s FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp + FACTER_hostname=$HOSTNAME FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp # Disables archiving - if [ -z "%(no_archive)s" ]; then - rm -Rf /var/lib/config-data/%(name)s + if [ -z "$NO_ARCHIVE" ]; then + rm -Rf /var/lib/config-data/${NAME} # copying etc should be enough for most services - mkdir -p /var/lib/config-data/%(name)s/etc - cp -a /etc/* /var/lib/config-data/%(name)s/etc/ + mkdir -p /var/lib/config-data/${NAME}/etc + cp -a /etc/* /var/lib/config-data/${NAME}/etc/ if [ -d /root/ ]; then - cp -a /root/ /var/lib/config-data/%(name)s/root/ + cp -a /root/ /var/lib/config-data/${NAME}/root/ fi if [ -d /var/lib/ironic/tftpboot/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ - cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/tftpboot/ + mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/ + cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/tftpboot/ fi if [ -d /var/lib/ironic/httpboot/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ - cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/httpboot/ + mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/ + cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/httpboot/ fi # apache services may files placed in /var/www/ if [ -d /var/www/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/www - cp -a /var/www/* /var/lib/config-data/%(name)s/var/www/ + mkdir -p /var/lib/config-data/${NAME}/var/www + cp -a /var/www/* /var/lib/config-data/${NAME}/var/www/ fi fi - """ % {'puppet_tags': puppet_tags, 'name': config_volume, - 'hostname': hostname, - 'no_archive': os.environ.get('NO_ARCHIVE', ''), - 'step': os.environ.get('STEP', '6')}) + """) with tempfile.NamedTemporaryFile() as tmp_man: with open(tmp_man.name, 'w') as man_file: @@ -211,6 +207,11 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume dcmd = ['/usr/bin/docker', 'run', '--user', 'root', '--name', 'docker-puppet-%s' % config_volume, + '--env', 'PUPPET_TAGS=%s' % puppet_tags, + '--env', 'NAME=%s' % config_volume, + '--env', 'HOSTNAME=%s' % short_hostname(), + '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''), + '--env', 'STEP=%s' % os.environ.get('STEP', '6'), '--volume', '%s:/etc/config.pp:ro' % tmp_man.name, '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index bcf24c33..d183cc24 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -26,6 +26,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -64,27 +71,48 @@ outputs: - path: /var/log/swift owner: swift:swift recurse: true + /var/lib/kolla/config_files/swift_proxy_tls_proxy.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_4: - swift_proxy: - image: *swift_proxy_image - net: host - user: swift - restart: always - volumes: - list_concat: - - {get_attr: [ContainersCommon, volumes]} - - - - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro - # FIXME I'm mounting /etc/swift as rw. Are the rings written to - # at all during runtime? - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /run:/run - - /srv/node:/srv/node - - /dev:/dev - - /var/log/containers/swift:/var/log/swift - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - swift_proxy: + image: *swift_proxy_image + net: host + user: swift + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro + # FIXME I'm mounting /etc/swift as rw. Are the rings written to + # at all during runtime? + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - swift_proxy_tls_proxy: + image: *swift_proxy_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/httpd/:/etc/httpd/:ro + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} host_prep_tasks: - name: create persistent directories file: diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index 7b27663f..9bdbe2bd 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -20,6 +20,9 @@ resource_registry: OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml + OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml + OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml + OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml diff --git a/environments/services-docker/undercloud-aodh.yaml b/environments/services-docker/undercloud-aodh.yaml index 236512f6..95d4a873 100644 --- a/environments/services-docker/undercloud-aodh.yaml +++ b/environments/services-docker/undercloud-aodh.yaml @@ -1,5 +1,5 @@ resource_registry: - OS::TripleO::Services::UndercloudAodhApi: ../docker/services/aodh-api.yaml - OS::TripleO::Services::UndercloudAodhEvaluator: ../docker/services/aodh-evaluator.yaml - OS::TripleO::Services::UndercloudAodhNotifier: ../docker/services/aodh-notifier.yaml - OS::TripleO::Services::UndercloudAodhListener: ../docker/services/aodh-listener.yaml + OS::TripleO::Services::UndercloudAodhApi: ../../docker/services/aodh-api.yaml + OS::TripleO::Services::UndercloudAodhEvaluator: ../../docker/services/aodh-evaluator.yaml + OS::TripleO::Services::UndercloudAodhNotifier: ../../docker/services/aodh-notifier.yaml + OS::TripleO::Services::UndercloudAodhListener: ../../docker/services/aodh-listener.yaml diff --git a/environments/services-docker/undercloud-gnocchi.yaml b/environments/services-docker/undercloud-gnocchi.yaml index 55b0ac2d..4b898cb3 100644 --- a/environments/services-docker/undercloud-gnocchi.yaml +++ b/environments/services-docker/undercloud-gnocchi.yaml @@ -1,4 +1,4 @@ resource_registry: - OS::TripleO::Services::UndercloudGnocchiApi: ../docker/services/gnocchi-api.yaml - OS::TripleO::Services::UndercloudGnocchiMetricd: ../docker/services/gnocchi-metricd.yaml - OS::TripleO::Services::UndercloudGnocchiStatsd: ../docker/services/gnocchi-statsd.yaml + OS::TripleO::Services::UndercloudGnocchiApi: ../../docker/services/gnocchi-api.yaml + OS::TripleO::Services::UndercloudGnocchiMetricd: ../../docker/services/gnocchi-metricd.yaml + OS::TripleO::Services::UndercloudGnocchiStatsd: ../../docker/services/gnocchi-statsd.yaml diff --git a/environments/services-docker/undercloud-panko.yaml b/environments/services-docker/undercloud-panko.yaml index ffe3b6da..8384f311 100644 --- a/environments/services-docker/undercloud-panko.yaml +++ b/environments/services-docker/undercloud-panko.yaml @@ -1,2 +1,2 @@ resource_registry: - OS::TripleO::Services::UndercloudPankoApi: ../docker/services/panko-api.yaml + OS::TripleO::Services::UndercloudPankoApi: ../../docker/services/panko-api.yaml diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 58b2b7bf..c42b0530 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -231,6 +231,7 @@ outputs: content: {get_param: KeystoneFernetKey0} '/etc/keystone/fernet-keys/1': content: {get_param: KeystoneFernetKey1} + keystone::fernet_replace_keys: false keystone::debug: {get_param: Debug} keystone::rabbit_userid: {get_param: RabbitUserName} keystone::rabbit_password: {get_param: RabbitPassword} |