diff options
| -rw-r--r-- | docker/services/database/mongodb.yaml | 16 | ||||
| -rw-r--r-- | docker/services/database/mysql.yaml | 25 | ||||
| -rw-r--r-- | docker/services/rabbitmq.yaml | 9 | ||||
| -rw-r--r-- | docker/services/swift-proxy.yaml | 7 | ||||
| -rw-r--r-- | docker/services/swift-storage.yaml | 35 | ||||
| -rw-r--r-- | puppet/services/etcd.yaml | 2 | ||||
| -rw-r--r-- | puppet/services/ironic-conductor.yaml | 43 | ||||
| -rw-r--r-- | releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml | 10 | ||||
| -rw-r--r-- | releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml | 6 |
9 files changed, 125 insertions, 28 deletions
diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 68a64a7d..36f33403 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -73,7 +73,16 @@ outputs: perm: '0600' docker_config: step_2: + mongodb_data_ownership: + start_order: 0 + image: *mongodb_image + net: host + user: root + command: ['chown', '-R', 'mongodb:', '/var/lib/mongodb'] + volumes: + - /var/lib/mongodb:/var/lib/mongodb mongodb: + start_order: 1 image: *mongodb_image net: host privileged: false @@ -82,7 +91,7 @@ outputs: - /var/lib/config-data/mongodb/:/var/lib/kolla/config_files/src:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log/kolla - - mongodb:/var/lib/mongodb/ + - /var/lib/mongodb:/var/lib/mongodb environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -98,6 +107,11 @@ outputs: volumes: - "mongodb:/var/lib/mongodb/" - "logs:/var/log/kolla:ro" + host_prep_tasks: + - name: create /var/lib/mongodb + file: + path: /var/lib/mongodb + state: directory upgrade_tasks: - name: Stop and disable mongodb service tags: step2 diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 46b856e3..531c1ebd 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -82,17 +82,29 @@ outputs: perm: '0644' docker_config: step_2: - mysql_bootstrap: + mysql_data_ownership: start_order: 0 detach: false image: *mysql_image net: host + user: root + # Kolla does only non-recursive chown + command: ['chown', '-R', 'mysql:', '/var/lib/mysql'] + volumes: + - /var/lib/mysql:/var/lib/mysql + mysql_bootstrap: + start_order: 1 + detach: false + image: *mysql_image + net: host + # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done + command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start'] volumes: &mysql_volumes - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json - /var/lib/config-data/mysql/:/var/lib/kolla/config_files/src:ro - /etc/localtime:/etc/localtime:ro - /etc/hosts:/etc/hosts:ro - - mariadb:/var/lib/mysql/ + - /var/lib/mysql:/var/lib/mysql environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -110,7 +122,7 @@ outputs: - {get_param: MysqlRootPassword} - {get_param: [DefaultPasswords, mysql_root_password]} mysql: - start_order: 1 + start_order: 2 image: *mysql_image restart: always net: host @@ -128,8 +140,13 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] volumes: - - "mariadb:/var/lib/mysql/:ro" + - "/var/lib/mysql:/var/lib/mysql/:ro" - "/var/lib/config-data/mysql/root:/root:ro" #provides .my.cnf + host_prep_tasks: + - name: create /var/lib/mysql + file: + path: /var/lib/mysql + state: directory upgrade_tasks: - name: Stop and disable mysql service tags: step2 diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 573ec178..341ec3de 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -90,7 +90,7 @@ outputs: - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - - rabbitmq:/var/lib/rabbitmq/ + - /var/lib/rabbitmq:/var/lib/rabbitmq environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -116,9 +116,14 @@ outputs: - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - - rabbitmq:/var/lib/rabbitmq/ + - /var/lib/rabbitmq:/var/lib/rabbitmq environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create /var/lib/rabbitmq + file: + path: /var/lib/rabbitmq + state: directory upgrade_tasks: - name: Stop and disable rabbitmq service tags: step2 diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 93e21c81..0d7cd7b9 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -72,10 +72,15 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create /srv/node + file: + path: /srv/node + state: directory upgrade_tasks: - name: Stop and disable swift_proxy service tags: step2 diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index 8e76504c..9c8d84e2 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -104,9 +104,9 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] user: root - command: ['/bin/bash', '-c', 'mkdir /srv/node && chown swift:swift /srv/node'] + command: ['chown', '-R', 'swift:', '/srv/node'] volumes: - - swift-srv:/srv + - /srv/node:/srv/node step_4: swift_account_auditor: image: @@ -123,7 +123,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: &kolla_env - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -142,7 +142,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_account_replicator: @@ -160,7 +160,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_account_server: @@ -178,7 +178,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_container_auditor: @@ -196,7 +196,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_container_replicator: @@ -214,7 +214,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_container_updater: @@ -232,7 +232,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_container_server: @@ -250,7 +250,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_object_auditor: @@ -268,7 +268,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_object_expirer: @@ -286,7 +286,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_object_replicator: @@ -304,7 +304,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_object_updater: @@ -322,7 +322,7 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env swift_object_server: @@ -340,9 +340,14 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /run:/run - - swift-srv:/srv + - /srv/node:/srv/node - /dev:/dev environment: *kolla_env + host_prep_tasks: + - name: create /srv/node + file: + path: /srv/node + state: directory upgrade_tasks: - name: Stop and disable swift storage services tags: step2 diff --git a/puppet/services/etcd.yaml b/puppet/services/etcd.yaml index 7cdd8451..5db8bec0 100644 --- a/puppet/services/etcd.yaml +++ b/puppet/services/etcd.yaml @@ -19,9 +19,9 @@ parameters: via parameter_defaults in the resource registry. type: json EtcdInitialClusterToken: - default: 'etcd-tripleo' description: Initial cluster token for the etcd cluster during bootstrap. type: string + hidden: true MonitoringSubscriptionEtcd: default: 'overcloud-etcd' type: string diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index f9547bef..56e1a90b 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -44,6 +44,10 @@ parameters: default: 8088 description: Port to use for serving images when iPXE is used. type: string + IronicPassword: + description: The password for the Ironic service and db account, used by the Ironic services + type: string + hidden: true MonitoringSubscriptionIronicConductor: default: 'overcloud-ironic-conductor' type: string @@ -65,9 +69,7 @@ outputs: config_settings: map_merge: - get_attr: [IronicBase, role_data, config_settings] - # FIXME: I have no idea why neutron_url is in "api" manifest - - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} + - ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} @@ -104,7 +106,40 @@ outputs: # the VIP, but rather a real IP of the host. ironic::my_ip: {get_param: [ServiceNetMap, IronicNetwork]} ironic::pxe::common::http_port: {get_param: IronicIPXEPort} - + # Credentials to access other services + ironic::glance::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::glance::username: 'ironic' + ironic::glance::password: {get_param: IronicPassword} + ironic::glance::project_name: 'service' + ironic::glance::user_domain_name: 'Default' + ironic::glance::project_domain_name: 'Default' + ironic::neutron::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::neutron::username: 'ironic' + ironic::neutron::password: {get_param: IronicPassword} + ironic::neutron::project_name: 'service' + ironic::neutron::user_domain_name: 'Default' + ironic::neutron::project_domain_name: 'Default' + ironic::service_catalog::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::service_catalog::username: 'ironic' + ironic::service_catalog::password: {get_param: IronicPassword} + ironic::service_catalog::project_name: 'service' + ironic::service_catalog::user_domain_name: 'Default' + ironic::service_catalog::project_domain_name: 'Default' + ironic::swift::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::swift::username: 'ironic' + ironic::swift::password: {get_param: IronicPassword} + ironic::swift::project_name: 'service' + ironic::swift::user_domain_name: 'Default' + ironic::swift::project_domain_name: 'Default' + # ironic-inspector support is not implemented, but let's configure + # the credentials for consistency. + ironic::drivers::inspector::enabled: false + ironic::drivers::inspector::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ironic::drivers::inspector::username: 'ironic' + ironic::drivers::inspector::password: {get_param: IronicPassword} + ironic::drivers::inspector::project_name: 'service' + ironic::drivers::inspector::user_domain_name: 'Default' + ironic::drivers::inspector::project_domain_name: 'Default' step_config: | include ::tripleo::profile::base::ironic::conductor upgrade_tasks: diff --git a/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml b/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml new file mode 100644 index 00000000..09067296 --- /dev/null +++ b/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - The ``NeutronExternalNetworkBridge`` parameter changed its default value + from ``br-ex`` to an empty string value. It means that by default Neutron + L3 agent will be able to serve multiple external networks. (It was always + the case for those who were using templates with the value of the parameter + overridden by an empty string value.) +deprecations: + - The ``NeutronExternalNetworkBridge`` parameter is deprecated and will be + removed in a next release. diff --git a/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml b/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml new file mode 100644 index 00000000..da995949 --- /dev/null +++ b/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Secure EtcdInitialClusterToken by removing the default value + and make the parameter hidden. + Fixes `bug 1673266 <https://bugs.launchpad.net/tripleo/+bug/1673266>`__. |