diff options
Diffstat (limited to 'docker/services')
| -rw-r--r-- | docker/services/ceph-ansible/ceph-base.yaml | 32 | ||||
| -rw-r--r-- | docker/services/ceph-ansible/ceph-rgw.yaml | 87 | ||||
| -rw-r--r-- | docker/services/cinder-api.yaml | 2 | ||||
| -rw-r--r-- | docker/services/database/mongodb.yaml | 4 | ||||
| -rw-r--r-- | docker/services/database/redis.yaml | 87 | ||||
| -rw-r--r-- | docker/services/heat-api.yaml | 2 | ||||
| -rw-r--r-- | docker/services/iscsid.yaml | 4 | ||||
| -rw-r--r-- | docker/services/keystone.yaml | 2 | ||||
| -rw-r--r-- | docker/services/nova-api.yaml | 2 | ||||
| -rw-r--r-- | docker/services/nova-compute.yaml | 11 | ||||
| -rw-r--r-- | docker/services/nova-conductor.yaml | 12 | ||||
| -rw-r--r-- | docker/services/opendaylight-api.yaml | 15 | ||||
| -rw-r--r-- | docker/services/pacemaker/database/mysql.yaml | 4 | ||||
| -rw-r--r-- | docker/services/pacemaker/haproxy.yaml | 1 | ||||
| -rw-r--r-- | docker/services/swift-ringbuilder.yaml | 23 | ||||
| -rw-r--r-- | docker/services/zaqar.yaml | 3 |
16 files changed, 255 insertions, 36 deletions
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index bf2c86c4..18d3e6a3 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -100,6 +100,14 @@ parameters: CephClientUserName: default: openstack type: string + CephRgwClientName: + default: radosgw + type: string + CephRgwKey: + description: The cephx key for the radosgw client. Can be created + with ceph-authtool --gen-print-key. + type: string + hidden: true CephPoolDefaultSize: description: default minimum replication for RBD copies type: number @@ -115,10 +123,13 @@ parameters: CephIPv6: default: False type: boolean + SwiftPassword: + description: The password for the swift service account + type: string + hidden: true DockerCephDaemonImage: description: image type: string - default: 'ceph/daemon:tag-build-master-jewel-centos-7' conditions: custom_registry_host: @@ -241,16 +252,33 @@ outputs: - - client - {get_param: ManilaCephFSNativeCephFSAuthId} key: {get_param: CephManilaClientKey} - mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create" + mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"' mds_cap: "allow *" osd_cap: "allow rw" mode: "0644" + - name: + list_join: + - '.' + - - client + - {get_param: CephRgwClientName} + key: {get_param: CephRgwKey} + mon_cap: "allow rw" + osd_cap: "allow rwx" + mode: "0644" keys: *openstack_keys pools: [] ceph_conf_overrides: global: osd_pool_default_size: {get_param: CephPoolDefaultSize} osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} + rgw_keystone_api_version: 3 + rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + rgw_keystone_accepted_roles: 'Member, _member_, admin' + rgw_keystone_admin_domain: default + rgw_keystone_admin_project: service + rgw_keystone_admin_user: swift + rgw_keystone_admin_password: {get_param: SwiftPassword} + rgw_s3_auth_use_keystone: 'true' ntp_service_enabled: false generate_fsid: false ip_version: diff --git a/docker/services/ceph-ansible/ceph-rgw.yaml b/docker/services/ceph-ansible/ceph-rgw.yaml new file mode 100644 index 00000000..4bed9b46 --- /dev/null +++ b/docker/services/ceph-ansible/ceph-rgw.yaml @@ -0,0 +1,87 @@ +heat_template_version: pike + +description: > + Ceph RadosGW service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SwiftPassword: + description: The password for the swift service account + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph RadosGW service. + value: + service_name: ceph_rgw + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + config_settings: + map_merge: + - tripleo.ceph_rgw.firewall_rules: + '122 ceph rgw': + dport: {get_param: [EndpointMap, CephRgwInternal, port]} + - ceph_rgw_ansible_vars: + map_merge: + - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - radosgw_keystone: true + radosgw_keystone_ssl: false + radosgw_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]} + radosgw_civetweb_port: {get_param: [EndpointMap, CephRgwInternal, port]} + service_config_settings: + keystone: + ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} + ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} + ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} + ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} + ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml index 519b2328..93d09ca0 100644 --- a/docker/services/cinder-api.yaml +++ b/docker/services/cinder-api.yaml @@ -163,6 +163,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 9b5c5b8f..d6bba20b 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -157,6 +157,10 @@ outputs: metadata_settings: get_attr: [MongodbPuppetBase, role_data, metadata_settings] upgrade_tasks: + - name: Check for mongodb service + stat: path=/usr/lib/systemd/system/mongod.service + register: mongod_service - name: Stop and disable mongodb service tags: step2 service: name=mongod state=stopped enabled=no + when: mongod_service.stat.exists diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 980a8c6d..487b4c67 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../containers-common.yaml + RedisBase: type: ../../../puppet/services/database/redis.yaml properties: @@ -56,6 +66,8 @@ outputs: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} - redis::daemonize: false + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: &step_config get_attr: [RedisBase, role_data, step_config] service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} @@ -80,31 +92,60 @@ outputs: - path: /var/run/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: - redis_init_logs: - start_order: 0 - detach: false - image: &redis_image {get_param: DockerRedisImage} - privileged: false - user: root - volumes: - - /var/log/containers/redis:/var/log/redis - command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] - redis: - start_order: 1 - image: *redis_image - net: host - privileged: false - restart: always - volumes: - - /run:/run - - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /var/log/containers/redis:/var/log/redis - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - redis_init_logs: + start_order: 0 + detach: false + image: &redis_image {get_param: DockerRedisImage} + privileged: false + user: root + volumes: + - /var/log/containers/redis:/var/log/redis + command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] + - redis: + start_order: 1 + image: *redis_image + net: host + privileged: false + restart: always + volumes: + - /run:/run + - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/localtime:/etc/localtime:ro + - /var/log/containers/redis:/var/log/redis + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 2 + image: *redis_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index 54c7bedd..6c1621f1 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -136,6 +136,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/docker/services/iscsid.yaml b/docker/services/iscsid.yaml index 80519800..c34a59d5 100644 --- a/docker/services/iscsid.yaml +++ b/docker/services/iscsid.yaml @@ -109,7 +109,7 @@ outputs: - name: Stop and disable iscsid service tags: step2 service: name=iscsid state=stopped enabled=no - when: stat_iscsid_service.stat.exists + when: (stat_iscsid_service.stat|default('')).exists|default(false) - name: stat /lib/systemd/system/iscsid.socket tags: step2 stat: path=/lib/systemd/system/iscsid.socket @@ -117,4 +117,4 @@ outputs: - name: Stop and disable iscsid.socket service tags: step2 service: name=iscsid.socket state=stopped enabled=no - when: stat_iscsid_socket.stat.exists + when: (stat_iscsid_socket.stat|default('')).exists|default(false) diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 4c2c1d16..97b4c5d5 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -175,6 +175,8 @@ outputs: privileged: false restart: always command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n'] + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 37c4da5b..7142b70e 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -196,6 +196,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 39d1740c..bf7841be 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -41,6 +41,10 @@ parameters: description: Port that dockerized nova migration target sshd service binds to. type: number + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: '' resources: @@ -142,6 +146,13 @@ outputs: path: /etc/ceph state: directory upgrade_tasks: + - name: Set compute upgrade level to auto + tags: step1 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} - name: Stop and disable nova-compute service tags: step2 service: name=openstack-nova-compute state=stopped enabled=no diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml index ae737056..17d137cc 100644 --- a/docker/services/nova-conductor.yaml +++ b/docker/services/nova-conductor.yaml @@ -36,7 +36,10 @@ parameters: default: {} description: Parameters specific to the role type: json - + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: '' resources: @@ -108,6 +111,13 @@ outputs: path: /var/log/containers/nova state: directory upgrade_tasks: + - name: Set compute upgrade level to auto + tags: step1 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} - name: Stop and disable nova_conductor service tags: step2 service: name=openstack-nova-conductor state=stopped enabled=no diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml index 6a62f65e..2a6fcfe8 100644 --- a/docker/services/opendaylight-api.yaml +++ b/docker/services/opendaylight-api.yaml @@ -97,10 +97,21 @@ outputs: - - /var/lib/kolla/config_files/opendaylight_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/opendaylight:/opt/opendaylight/data/log + - /var/lib/opendaylight/journal:/opt/opendaylight/journal + - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/opendaylight + - /var/lib/opendaylight/snapshots + - /var/lib/opendaylight/journal upgrade_tasks: - name: Stop and disable opendaylight_api service tags: step2 - service: name=opendaylight state=stopped enabled=no + service: name=opendaylight state=stopped enabled=no
\ No newline at end of file diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml index 3de1696d..f57f779e 100644 --- a/docker/services/pacemaker/database/mysql.yaml +++ b/docker/services/pacemaker/database/mysql.yaml @@ -162,13 +162,13 @@ outputs: # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done command: - 'bash' - - '-ec' + - '-ecx' - list_join: - "\n" - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi' - 'kolla_start' - - 'mysqld_safe --skip-networking --wsrep-on=OFF &' + - 'mysqld_safe --skip-networking --wsrep-on=OFF --wsrep-provider=none &' - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done''' - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"' - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"' diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 2e5c7424..3cdc5255 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -88,6 +88,7 @@ outputs: - get_param: InternalTLSCAFile - get_param: HAProxyInternalTLSKeysDirectory - get_param: HAProxyInternalTLSCertsDirectory + - get_param: DeployedSSLCertificatePath tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory} tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory} # disable the use CRL file until we can restart the container when the file expires diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index e4e2c7d2..2a44f703 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -7,6 +7,10 @@ parameters: DockerSwiftConfigImage: description: The container image to use for the swift config_volume type: string + DockerSwiftRingbuilderConfigImage: + description: Fake parameter to bypass config_volume yaml validation + type: string + default: '' ServiceData: default: {} description: Dictionary packing service data @@ -92,9 +96,22 @@ outputs: service_config_settings: {get_attr: [SwiftRingbuilderBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: - config_volume: 'swift' + config_volume: 'swift_ringbuilder' puppet_tags: exec,fetch_swift_ring_tarball,extract_swift_ring_tarball,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance,create_swift_ring_tarball,upload_swift_ring_tarball step_config: *step_config - config_image: {get_param: DockerSwiftConfigImage} + config_image: &swift_ringbuilder_image {get_param: DockerSwiftConfigImage} kolla_config: {} - docker_config: {} + docker_config: + step_3: + swift_copy_rings: + image: *swift_ringbuilder_image + user: root + detach: false + command: + # Use bash to run the cp command so that wildcards can be used + - '/bin/bash' + - '-c' + - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups' + volumes: + - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw + - /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index b6fb4001..34f2e439 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -130,7 +130,8 @@ outputs: - - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro - /var/log/containers/zaqar:/var/log/zaqar - command: "/usr/bin/bootstrap_host_exec zaqar su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'" + - /var/log/containers/httpd/zaqar:/var/log/httpd + command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'" - {} - step_4: zaqar: |