diff options
Diffstat (limited to 'docker/services')
28 files changed, 834 insertions, 53 deletions
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml new file mode 100644 index 00000000..1468415e --- /dev/null +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -0,0 +1,205 @@ +heat_template_version: pike + +description: > + Ceph base service. Shared by all Ceph services. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephAnsibleWorkflowName: + type: string + description: Name of the Mistral workflow to execute + default: tripleo.storage.v1.ceph-install + CephAnsiblePlaybook: + type: string + description: Path to the ceph-ansible playbook to execute + default: /usr/share/ceph-ansible/site-docker.yml.sample + CephAnsibleExtraConfig: + type: json + description: Extra vars for the ceph-ansible playbook + default: {} + CephClusterFSID: + type: string + description: The Ceph cluster FSID. Must be a UUID. + CephPoolDefaultPgNum: + description: default pg_num to use for the RBD pools + type: number + default: 32 + CephPools: + description: > + It can be used to override settings for one of the predefined pools, or to create + additional ones. Example: + { + "volumes": { + "size": 5, + "pg_num": 128, + "pgp_num": 128 + } + } + default: {} + type: json + CinderRbdPoolName: + default: volumes + type: string + CinderBackupRbdPoolName: + default: backups + type: string + GlanceRbdPoolName: + default: images + type: string + GnocchiRbdPoolName: + default: metrics + type: string + NovaRbdPoolName: + default: vms + type: string + CephClientKey: + description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. Currently only used for external Ceph deployments to create the openstack user keyring. + type: string + hidden: true + CephClientUserName: + default: openstack + type: string + CephPoolDefaultSize: + description: default minimum replication for RBD copies + type: number + default: 3 + CephIPv6: + default: False + type: boolean + DockerCephDaemonImage: + description: image + type: string + default: 'ceph/daemon:tag-build-master-jewel-centos-7' + +conditions: + custom_registry_host: + yaql: + data: {get_param: DockerCephDaemonImage} + expression: $.data.split('/')[0].matches('(\.|:)') + +outputs: + role_data: + description: Role data for the Ceph base service. + value: + service_name: ceph_base + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + service_workflow_tasks: + step2: + - name: ceph_base_ansible_workflow + workflow: { get_param: CephAnsibleWorkflowName } + input: + ceph_ansible_extra_vars: {get_param: CephAnsibleExtraConfig} + ceph_ansible_playbook: {get_param: CephAnsiblePlaybook} + config_settings: + ceph_common_ansible_vars: + fsid: { get_param: CephClusterFSID } + docker: true + ceph_docker_registry: + if: + - custom_registry_host + - yaql: + expression: regex('(?:https?://)?(.*)/').split($.data)[1] + data: {str_split: [':', {get_param: DockerCephDaemonImage}, 0]} + - docker.io + ceph_docker_image: + if: + - custom_registry_host + - yaql: + expression: regex('(?:https?://)?(.*)/').split($.data)[2] + data: {str_split: [':', {get_param: DockerCephDaemonImage}, 0]} + - {str_split: [':', {get_param: DockerCephDaemonImage}, 0]} + ceph_docker_image_tag: {str_split: [':', {get_param: DockerCephDaemonImage}, 1]} + containerized_deployment: true + public_network: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]} + cluster_network: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]} + user_config: true + ceph_stable: true + ceph_origin: distro + openstack_config: true + openstack_pools: + list_concat: + - repeat: + template: + name: <%pool%> + pg_num: {get_param: CephPoolDefaultPgNum} + rule_name: "" + for_each: + <%pool%>: + - {get_param: CinderRbdPoolName} + - {get_param: CinderBackupRbdPoolName} + - {get_param: NovaRbdPoolName} + - {get_param: GlanceRbdPoolName} + - {get_param: GnocchiRbdPoolName} + - repeat: + template: + name: <%pool%> + pg_num: {get_param: CephPoolDefaultPgNum} + rule_name: "" + for_each: + <%pool%>: {get_param: CephPools} + openstack_keys: &openstack_keys + - name: + list_join: + - '.' + - - client + - {get_param: CephClientUserName} + key: {get_param: CephClientKey} + mon_cap: "allow r" + osd_cap: + str_replace: + template: "allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL" + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + acls: + - "u:glance:r--" + - "u:nova:r--" + - "u:cinder:r--" + - "u:gnocchi:r--" + keys: *openstack_keys + pools: [] + ceph_conf_overrides: + global: + osd_pool_default_size: {get_param: CephPoolDefaultSize} + osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} + ntp_service_enabled: false + generate_fsid: false + ip_version: + if: + - {get_param: CephIPv6} + - ipv6 + - ipv4 diff --git a/docker/services/ceph-ansible/ceph-client.yaml b/docker/services/ceph-ansible/ceph-client.yaml new file mode 100644 index 00000000..55d8d9da --- /dev/null +++ b/docker/services/ceph-ansible/ceph-client.yaml @@ -0,0 +1,58 @@ +heat_template_version: pike + +description: > + Ceph Client service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph Client service. + value: + service_name: ceph_client + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + config_settings: {} diff --git a/docker/services/ceph-ansible/ceph-mon.yaml b/docker/services/ceph-ansible/ceph-mon.yaml new file mode 100644 index 00000000..90149d1e --- /dev/null +++ b/docker/services/ceph-ansible/ceph-mon.yaml @@ -0,0 +1,86 @@ +heat_template_version: pike + +description: > + Ceph Monitor service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephMonKey: + description: The Ceph monitors key. Can be created with ceph-authtool --gen-print-key. + type: string + hidden: true + CephAdminKey: + default: '' + description: The Ceph admin client key. Can be created with ceph-authtool --gen-print-key. + type: string + hidden: true + CephValidationRetries: + type: number + default: 40 + description: Number of retry attempts for Ceph validation + CephValidationDelay: + type: number + default: 30 + description: Interval (in seconds) in between validation checks + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph Monitor service. + value: + service_name: ceph_mon + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + config_settings: + map_merge: + - tripleo.ceph_mon.firewall_rules: + '110 ceph_mon': + dport: + - 6789 + - ceph_mon_ansible_vars: + map_merge: + - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - monitor_secret: {get_param: CephMonKey} + admin_secret: {get_param: CephAdminKey} + monitor_interface: br_ex diff --git a/docker/services/ceph-ansible/ceph-osd.yaml b/docker/services/ceph-ansible/ceph-osd.yaml new file mode 100644 index 00000000..6e0f4a60 --- /dev/null +++ b/docker/services/ceph-ansible/ceph-osd.yaml @@ -0,0 +1,75 @@ +heat_template_version: pike + +description: > + Ceph OSD service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephAnsibleDisksConfig: + type: json + description: Disks config settings for ceph-ansible + default: + devices: + - /dev/vdb + journal_size: 512 + journal_collocation: true + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph OSD service. + value: + service_name: ceph_osd + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + config_settings: + map_merge: + - tripleo.ceph_osd.firewall_rules: + '111 ceph_osd': + dport: + - '6800-7300' + - ceph_osd_ansible_vars: + map_merge: + - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - {get_param: CephAnsibleDisksConfig}
\ No newline at end of file diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml index 0cd1dd7b..7804fdb2 100644 --- a/docker/services/cinder-api.yaml +++ b/docker/services/cinder-api.yaml @@ -86,6 +86,17 @@ outputs: - path: /var/log/cinder owner: cinder:cinder recurse: true + /var/lib/kolla/config_files/cinder_api_cron.json: + command: /usr/sbin/crond -n + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/cinder + owner: cinder:cinder + recurse: true docker_config: step_2: cinder_api_init_logs: @@ -140,6 +151,21 @@ outputs: - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + cinder_api_cron: + image: *cinder_api_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/cinder:/var/log/cinder + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: - name: create persistent logs directory file: diff --git a/docker/services/cinder-backup.yaml b/docker/services/cinder-backup.yaml index dc7580a3..de637f3b 100644 --- a/docker/services/cinder-backup.yaml +++ b/docker/services/cinder-backup.yaml @@ -72,16 +72,12 @@ outputs: /var/lib/kolla/config_files/cinder_backup.json: command: /usr/bin/cinder-backup --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf config_files: - # NOTE(mandre): the copy of ceph conf will need to go once we - # generate a ceph.conf for cinder in puppet - # Copy ceph config files before cinder ones as a precaution, for - # the later one to take precendence in case of duplicate files. - - source: "/var/lib/kolla/config_files/src-ceph/*" + - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-iscsid/*" @@ -118,8 +114,8 @@ outputs: - /var/lib/kolla/config_files/cinder_backup.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/iscsid/:/var/lib/kolla/config_files/src-iscsid:ro - # FIXME: we need to generate a ceph.conf with puppet for this - /var/lib/config-data/puppet-generated/ceph/:/var/lib/kolla/config_files/src-ceph:ro + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - /dev/:/dev/ - /run/:/run/ - /sys:/sys @@ -136,6 +132,10 @@ outputs: with_items: - /var/lib/cinder - /var/log/containers/cinder + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory upgrade_tasks: - name: Stop and disable cinder_backup service tags: step2 diff --git a/docker/services/cinder-volume.yaml b/docker/services/cinder-volume.yaml index 3030019c..ce81fbf8 100644 --- a/docker/services/cinder-volume.yaml +++ b/docker/services/cinder-volume.yaml @@ -86,16 +86,12 @@ outputs: /var/lib/kolla/config_files/cinder_volume.json: command: /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf config_files: - # NOTE(mandre): the copy of ceph conf will need to go once we - # generate a ceph.conf for cinder in puppet - # Copy ceph config files before cinder ones as a precaution, for - # the later one to take precendence in case of duplicate files. - - source: "/var/lib/kolla/config_files/src-ceph/*" + - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - - source: "/var/lib/kolla/config_files/src/*" - dest: "/" + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-iscsid/*" @@ -129,8 +125,8 @@ outputs: - /var/lib/kolla/config_files/cinder_volume.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/iscsid/:/var/lib/kolla/config_files/src-iscsid:ro - # FIXME: we need to generate a ceph.conf with puppet for this - /var/lib/config-data/puppet-generated/ceph/:/var/lib/kolla/config_files/src-ceph:ro + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - /lib/modules:/lib/modules:ro - /dev/:/dev/ - /run/:/run/ @@ -147,6 +143,10 @@ outputs: with_items: - /var/log/containers/cinder - /var/lib/cinder + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory - name: cinder_enable_iscsi_backend fact set_fact: cinder_enable_iscsi_backend: {get_param: CinderEnableIscsiBackend} diff --git a/docker/services/collectd.yaml b/docker/services/collectd.yaml index 2989729c..3c0ba09b 100644 --- a/docker/services/collectd.yaml +++ b/docker/services/collectd.yaml @@ -89,15 +89,17 @@ outputs: collectd: image: {get_param: DockerCollectdImage} net: host + pid: host privileged: true + user: root restart: always volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - /var/run/docker.sock:/var/run/docker.sock:rw - /var/lib/kolla/config_files/collectd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/collectd/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/collectd:/var/log/collectd:rw environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index d88c64b5..f4c724b0 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -86,6 +86,10 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" + merge: true + preserve_properties: true /var/lib/kolla/config_files/glance_api_tls_proxy.json: command: /usr/sbin/httpd -DFOREGROUND config_files: @@ -117,6 +121,7 @@ outputs: - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json - /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro - /var/log/containers/glance:/var/log/glance + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -156,6 +161,10 @@ outputs: file: path: /var/log/containers/glance state: directory + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory upgrade_tasks: - name: Stop and disable glance_api service tags: step2 diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 1a0a1ddb..6778543b 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -75,6 +75,10 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" + merge: true + preserve_properties: true permissions: - path: /var/log/gnocchi owner: gnocchi:gnocchi @@ -93,6 +97,7 @@ outputs: - /var/lib/kolla/config_files/gnocchi_metricd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - /var/log/containers/gnocchi:/var/log/gnocchi + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -100,6 +105,10 @@ outputs: file: path: /var/log/containers/gnocchi state: directory + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory upgrade_tasks: - name: Stop and disable openstack-gnocchi-metricd service tags: step2 diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 21baf5c6..f080dcb2 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -46,7 +46,7 @@ parameters: The filepath of the certificate as it will be stored in the controller. type: string RedisPassword: - description: The password for Redis + description: The password for the redis service account. type: string hidden: true MonitoringSubscriptionHaproxy: diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index aff0f1a1..70612899 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -125,8 +125,25 @@ outputs: path: /var/log/containers/heat state: directory upgrade_tasks: - - name: Stop and disable heat_api_cfn service + - name: Check if heat_api_cfn is deployed + command: systemctl is-enabled openstack-heat-api-cfn + tags: common + ignore_errors: True + register: heat_api_cfn_enabled + - name: check for heat_api_cfn running under apache (post upgrade) tags: step2 - service: name=httpd state=stopped enabled=no + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_cfn_wsgi" + register: heat_api_cfn_apache + ignore_errors: true + changed_when: false + check_mode: no + - name: Stop heat_api_cfn service (running under httpd) + tags: step2 + service: name=httpd state=stopped + when: heat_api_cfn_apache.rc == 0 + - name: Stop and disable heat_api_cfn service (pre-upgrade not under httpd) + tags: step2 + service: name=openstack-heat-api-cfn state=stopped enabled=no + when: heat_api_cfn_enabled.rc == 0 metadata_settings: get_attr: [HeatBase, role_data, metadata_settings] diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index d09230fe..0bc331ca 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -90,6 +90,17 @@ outputs: - path: /var/log/heat owner: heat:heat recurse: true + /var/lib/kolla/config_files/heat_api_cron.json: + command: /usr/sbin/crond -n + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/heat + owner: heat:heat + recurse: true docker_config: step_4: heat_api: @@ -119,14 +130,45 @@ outputs: - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + heat_api_cron: + image: {get_param: DockerHeatApiImage} + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/heat_api_cron.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/heat_api/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/heat:/var/log/heat + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: path: /var/log/containers/heat state: directory upgrade_tasks: - - name: Stop and disable heat_api service + - name: Check is heat_api is deployed + command: systemctl is-enabled openstack-heat-api + tags: common + ignore_errors: True + register: heat_api_enabled + - name: check for heat_api running under apache (post upgrade) + tags: step2 + shell: "httpd -t -D DUMP_VHOSTS | grep -q heat_api_wsgi" + register: heat_api_apache + ignore_errors: true + changed_when: false + check_mode: no + - name: Stop heat_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped + when: heat_api_apache.rc == 0 + - name: Stop and disable heat_api service (pre-upgrade not under httpd) tags: step2 - service: name=httpd state=stopped enabled=no + service: name=openstack-heat-api state=stopped enabled=no + when: heat_api_enabled.rc == 0 metadata_settings: get_attr: [HeatBase, role_data, metadata_settings] diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index da04682e..7ecfc329 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -98,6 +98,17 @@ outputs: dest: "/" merge: true preserve_properties: true + /var/lib/kolla/config_files/keystone_cron.json: + command: /usr/sbin/cron -n + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/keystone + owner: keystone:keystone + recurse: true docker_config: # Kolla_bootstrap/db sync runs before permissions set by kolla_config step_2: @@ -150,6 +161,21 @@ outputs: user: root command: [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] + keystone_cron: + start_order: 4 + image: *keystone_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/keystone:/var/log/keystone + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: # Keystone endpoint creation occurs only on single node step_3: diff --git a/docker/services/manila-share.yaml b/docker/services/manila-share.yaml index 09d1a574..b4278155 100644 --- a/docker/services/manila-share.yaml +++ b/docker/services/manila-share.yaml @@ -75,9 +75,8 @@ outputs: dest: "/" merge: true preserve_properties: true - # NOTE(gfidente): ceph-ansible generated - - source: "/var/lib/kolla/config_files/src-ceph/*" - dest: "/etc/ceph" + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" merge: true preserve_properties: true permissions: @@ -97,7 +96,7 @@ outputs: - /var/lib/kolla/config_files/manila_share.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro - /var/log/containers/manila:/var/log/manila - - /etc/ceph/:/var/lib/kolla/config_files/src-ceph:ro + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -105,6 +104,10 @@ outputs: file: path: /var/log/containers/manila state: directory + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory upgrade_tasks: - name: Stop and disable manila_share service tags: step2 diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index eed8a1c0..4b75d542 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -81,6 +81,9 @@ outputs: - path: /var/log/neutron owner: neutron:neutron recurse: true + - path: /var/lib/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutron_dhcp: @@ -97,10 +100,15 @@ outputs: - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - /run/:/run + - /var/lib/neutron:/var/lib/neutron - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: + - name: create /var/lib/neutron + file: + path: /var/lib/neutron + state: directory - name: create persistent logs directory file: path: /var/log/containers/neutron diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index c3a4d27f..06470c05 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -77,6 +77,9 @@ outputs: - path: /var/log/neutron owner: neutron:neutron recurse: true + - path: /var/lib/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutron_l3_agent: @@ -93,10 +96,15 @@ outputs: - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - /run:/run + - /var/lib/neutron:/var/lib/neutron - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: + - name: create /var/lib/neutron + file: + path: /var/lib/neutron + state: directory - name: create persistent logs directory file: path: /var/log/containers/neutron diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml index 582b7754..a5a7c34b 100644 --- a/docker/services/neutron-metadata.yaml +++ b/docker/services/neutron-metadata.yaml @@ -77,6 +77,9 @@ outputs: - path: /var/log/neutron owner: neutron:neutron recurse: true + - path: /var/lib/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutron_metadata_agent: @@ -93,10 +96,15 @@ outputs: - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - /run:/run + - /var/lib/neutron:/var/lib/neutron - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: + - name: create /var/lib/neutron + file: + path: /var/lib/neutron + state: directory - name: create persistent logs directory file: path: /var/log/containers/neutron diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 1d73a538..4bec8035 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -88,6 +88,17 @@ outputs: - path: /var/log/nova owner: nova:nova recurse: true + /var/lib/kolla/config_files/nova_api_cron.json: + command: /usr/sbin/crond -n + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: # db sync runs before permissions set by kolla_config step_2: @@ -151,7 +162,7 @@ outputs: user: nova privileged: true restart: always - volumes: &nova_api_volumes + volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - @@ -164,12 +175,17 @@ outputs: image: *nova_api_image net: host user: root - privileged: true + privileged: false restart: always - volumes: *nova_api_volumes + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_api_cron.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - command: "/usr/sbin/crond -n" step_5: nova_api_discover_hosts: start_order: 1 diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 3ee3e431..c6e848a0 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -36,6 +36,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + DockerNovaMigrationSshdPort: + default: 2022 + description: Port that dockerized nova migration target sshd service + binds to. + type: number resources: @@ -51,6 +56,7 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + MigrationSshPort: {get_param: DockerNovaMigrationSshdPort} outputs: role_data: @@ -58,14 +64,7 @@ outputs: value: service_name: {get_attr: [NovaComputeBase, role_data, service_name]} config_settings: - map_merge: - - get_attr: [NovaComputeBase, role_data, config_settings] - # FIXME: we need to disable migration for now as the - # hieradata is common for all services, and this means nova - # and nova_placement puppet runs also try to configure - # libvirt, and they fail. We can remove this override when - # we have hieradata separation between containers. - - tripleo::profile::base::nova::manage_migration: false + get_attr: [NovaComputeBase, role_data, config_settings] step_config: &step_config get_attr: [NovaComputeBase, role_data, step_config] puppet_config: @@ -85,6 +84,10 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" + merge: true + preserve_properties: true permissions: - path: /var/log/nova owner: nova:nova @@ -108,12 +111,15 @@ outputs: - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/iscsid/:/var/lib/kolla/config_files/src-iscsid:ro + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - /dev:/dev - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/nova:/var/lib/nova - /var/lib/libvirt:/var/lib/libvirt - /var/log/containers/nova:/var/log/nova + - /sys/class/net:/sys/class/net + - /sys/bus/pci:/sys/bus/pci environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -125,6 +131,10 @@ outputs: - /var/log/containers/nova - /var/lib/nova - /var/lib/libvirt + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory upgrade_tasks: - name: Stop and disable nova-compute service tags: step2 diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index e1ddca81..973b0ebb 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -51,6 +51,12 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the relevant keys for libvirt. + DockerNovaMigrationSshdPort: + default: 2022 + description: Port that dockerized nova migration target sshd service + binds to. + type: number + conditions: @@ -77,6 +83,7 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + MigrationSshPort: {get_param: DockerNovaMigrationSshdPort} outputs: role_data: @@ -84,19 +91,12 @@ outputs: value: service_name: {get_attr: [NovaLibvirtBase, role_data, service_name]} config_settings: - map_merge: - - get_attr: [NovaLibvirtBase, role_data, config_settings] - # FIXME: we need to disable migration for now as the - # hieradata is common for all services, and this means nova - # and nova_placement puppet runs also try to configure - # libvirt, and they fail. We can remove this override when - # we have hieradata separation between containers. - - tripleo::profile::base::nova::manage_migration: false + get_attr: [NovaLibvirtBase, role_data, config_settings] step_config: &step_config get_attr: [NovaLibvirtBase, role_data, step_config] puppet_config: config_volume: nova_libvirt - puppet_tags: nova_config,file,exec + puppet_tags: libvirtd_config,nova_config,file,exec step_config: *step_config config_image: {get_param: DockerNovaLibvirtConfigImage} kolla_config: @@ -111,6 +111,10 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-ceph/" + dest: "/etc/ceph/" + merge: true + preserve_properties: true permissions: - path: /var/log/nova owner: nova:nova @@ -129,6 +133,7 @@ outputs: - - /var/lib/kolla/config_files/nova_libvirt.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro + - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - /lib/modules:/lib/modules:ro - /dev:/dev - /run:/run @@ -153,6 +158,10 @@ outputs: - /etc/libvirt/qemu - /var/lib/libvirt - /var/log/containers/nova + - name: ensure ceph configurations exist + file: + path: /etc/ceph + state: directory - name: set enable_package_install fact set_fact: enable_package_install: {get_param: EnablePackageInstall} diff --git a/docker/services/nova-migration-target.yaml b/docker/services/nova-migration-target.yaml new file mode 100644 index 00000000..385343a0 --- /dev/null +++ b/docker/services/nova-migration-target.yaml @@ -0,0 +1,124 @@ +heat_template_version: pike + +description: > + OpenStack containerized Nova Migration Target service + +parameters: + DockerNovaComputeImage: + description: image + type: string + DockerNovaLibvirtConfigImage: + description: The container image to use for the nova_libvirt config_volume + type: string + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DockerNovaMigrationSshdPort: + default: 2022 + description: Port that dockerized nova migration target sshd service + binds to. + type: number + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + SshdBase: + type: ../../puppet/services/sshd.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + NovaMigrationTargetBase: + type: ../../puppet/services/nova-migration-target.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Nova Migration Target service. + value: + service_name: nova_migration_target + config_settings: + map_merge: + - get_attr: [SshdBase, role_data, config_settings] + - get_attr: [NovaMigrationTargetBase, role_data, config_settings] + - tripleo.nova_migration_target.firewall_rules: + '113 nova_migration_target': + dport: + - {get_param: DockerNovaMigrationSshdPort} + step_config: &step_config + list_join: + - "\n" + - - get_attr: [SshdBase, role_data, step_config] + - get_attr: [NovaMigrationTargetBase, role_data, step_config] + puppet_config: + config_volume: nova_libvirt + step_config: *step_config + config_image: {get_param: DockerNovaLibvirtConfigImage} + kolla_config: + /var/lib/kolla/config_files/nova-migration-target.json: + command: + str_replace: + template: "/usr/sbin/sshd -D -p SSHDPORT" + params: + SSHDPORT: {get_param: DockerNovaMigrationSshdPort} + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + - source: /host-ssh/ssh_host_*_key + dest: /etc/ssh/ + owner: "root" + perm: "0600" + docker_config: + step_4: + nova_migration_target: + image: {get_param: DockerNovaComputeImage} + net: host + privileged: true + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro + - /etc/ssh/:/host-ssh/:ro + - /run:/run + - /var/lib/nova:/var/lib/nova + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml index 80ca822b..6a62f65e 100644 --- a/docker/services/opendaylight-api.yaml +++ b/docker/services/opendaylight-api.yaml @@ -61,15 +61,12 @@ outputs: map_merge: - get_attr: [OpenDaylightBase, role_data, config_settings] step_config: &step_config - list_join: - - "\n" - - - get_attr: [OpenDaylightBase, role_data, step_config] - - "include tripleo::profile::base::neutron::opendaylight::create_cluster" + get_attr: [OpenDaylightBase, role_data, step_config] # BEGIN DOCKER SETTINGS puppet_config: config_volume: opendaylight # 'file,concat,file_line,augeas' are included by default - puppet_tags: odl_user,tripleo::profile::base::neutron::opendaylight::configure_cluster + puppet_tags: odl_user step_config: *step_config config_image: {get_param: DockerOpendaylightConfigImage} kolla_config: diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml index 22c29b29..f12852f8 100644 --- a/docker/services/pacemaker/database/mysql.yaml +++ b/docker/services/pacemaker/database/mysql.yaml @@ -65,6 +65,17 @@ outputs: map_merge: - {get_attr: [MysqlPuppetBase, role_data, config_settings]} - tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image: &mysql_image {get_param: DockerMysqlImage} + tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123 + tripleo.mysql.firewall_rules: + '104 mysql galera-bundle': + dport: + - 873 + - 3123 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 step_config: "" # BEGIN DOCKER SETTINGS # puppet_config: diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml index df7ae7f4..75b6d650 100644 --- a/docker/services/pacemaker/database/redis.yaml +++ b/docker/services/pacemaker/database/redis.yaml @@ -61,7 +61,13 @@ outputs: redis::notify_service: false redis::managed_by_cluster_manager: true tripleo::profile::pacemaker::database::redis_bundle::redis_docker_image: &redis_image {get_param: DockerRedisImage} - + tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124 + tripleo.redis.firewall_rules: + '108 redis-bundle': + dport: + - 3124 + - 6379 + - 26379 step_config: "" service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml index dc56bcce..de53ceee 100644 --- a/docker/services/pacemaker/rabbitmq.yaml +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -63,6 +63,14 @@ outputs: - {get_attr: [RabbitmqBase, role_data, config_settings]} - rabbitmq::service_manage: false tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image: &rabbitmq_image {get_param: DockerRabbitmqImage} + tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122 + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq-bundle': + dport: + - 3122 + - 4369 + - 5672 + - 25672 step_config: &step_config get_attr: [RabbitmqBase, role_data, step_config] service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index 04e58b4a..e879b25d 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -462,6 +462,7 @@ outputs: - openstack-swift-container-updater - openstack-swift-container - openstack-swift-object-auditor + - openstack-swift-object-expirer - openstack-swift-object-replicator - openstack-swift-object-updater - openstack-swift-object diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 061a4a70..df57ad6a 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -40,9 +40,13 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false conditions: zaqar_management_store_sqlalchemy: {equals : [{get_param: ZaqarManagementStore}, 'sqlalchemy']} + internal_tls_enabled: {get_param: EnableInternalTLS} resources: @@ -58,6 +62,7 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -137,6 +142,16 @@ outputs: - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro - /var/log/containers/zaqar:/var/log/zaqar + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS zaqar_websocket: @@ -162,3 +177,5 @@ outputs: - name: Stop and disable zaqar service tags: step2 service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [ZaqarBase, role_data, metadata_settings] |