diff options
Diffstat (limited to 'docker/services')
30 files changed, 995 insertions, 37 deletions
diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml index 8a02d8fd..f802e4e6 100644 --- a/docker/services/aodh-api.yaml +++ b/docker/services/aodh-api.yaml @@ -100,13 +100,14 @@ outputs: net: host privileged: false detach: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /var/log/containers/aodh:/var/log/aodh - command: /usr/bin/aodh-dbsync + command: "/usr/bin/bootstrap_host_exec aodh_api su aodh -s /bin/bash -c /usr/bin/aodh-dbsync" step_4: aodh_api: image: *aodh_image diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index fad1456c..a9912a1f 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Contains a static list of common things necessary for containers @@ -9,6 +9,8 @@ outputs: value: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro + # required for bootstrap_host_exec + - /etc/puppet:/etc/puppet:ro # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index ed4e3177..96a02f9f 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MongoDB service deployment using puppet and docker diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 3a4de24f..73578e13 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MySQL service deployment using puppet diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 86c44900..73df96c5 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Redis services diff --git a/docker/services/etcd.yaml b/docker/services/etcd.yaml index 13a0735b..e5a7096b 100644 --- a/docker/services/etcd.yaml +++ b/docker/services/etcd.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized etcd services diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index ef1e00ed..df8186da 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -100,6 +100,7 @@ outputs: net: host privileged: false detach: false + user: root volumes: &glance_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -110,6 +111,7 @@ outputs: environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + command: "/usr/bin/bootstrap_host_exec glance_api su glance -s /bin/bash -c '/usr/local/bin/kolla_start'" step_4: map_merge: - glance_api: @@ -149,3 +151,5 @@ outputs: - name: Stop and disable glance_api service tags: step2 service: name=openstack-glance-api state=stopped enabled=no + metadata_settings: + get_attr: [GlanceApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 9b474731..e59d6095 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -100,13 +100,14 @@ outputs: net: host detach: false privileged: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /var/log/containers/gnocchi:/var/log/gnocchi - command: ["/usr/bin/gnocchi-upgrade", "--skip-storage"] + command: "/usr/bin/bootstrap_host_exec gnocchi_api su gnocchi -s /bin/bash -c '/usr/bin/gnocchi-upgrade --skip-storage'" step_4: gnocchi_api: image: *gnocchi_image diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml new file mode 100644 index 00000000..1f8bcfad --- /dev/null +++ b/docker/services/haproxy.yaml @@ -0,0 +1,111 @@ +heat_template_version: pike + +description: > + OpenStack containerized HAproxy service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerHAProxyImage: + description: image + default: 'centos-binary-haproxy:latest' + type: string + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + HAProxyStatsPassword: + description: Password for HAProxy stats endpoint + hidden: true + type: string + HAProxyStatsUser: + description: User for HAProxy stats endpoint + default: admin + type: string + HAProxySyslogAddress: + default: /dev/log + description: Syslog address where HAproxy will send its log + type: string + RedisPassword: + description: The password for Redis + type: string + hidden: true + MonitoringSubscriptionHaproxy: + default: 'overcloud-haproxy' + type: string + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + HAProxyBase: + type: ../../puppet/services/haproxy.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the HAproxy role. + value: + service_name: {get_attr: [HAProxyBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [HAProxyBase, role_data, config_settings] + - tripleo::haproxy::haproxy_daemon: false + step_config: &step_config + get_attr: [HAProxyBase, role_data, step_config] + service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: haproxy + puppet_tags: haproxy_config + step_config: *step_config + config_image: &haproxy_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyImage} ] + kolla_config: + /var/lib/kolla/config_files/haproxy.json: + command: haproxy -f /etc/haproxy/haproxy.cfg + docker_config: + step_1: + haproxy: + image: *haproxy_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/haproxy/etc/:/etc/:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [HAProxyBase, role_data, metadata_settings] diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index 2631928f..37fa4c81 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -132,3 +132,5 @@ outputs: - name: Stop and disable heat_api_cfn service tags: step2 service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [HeatBase, role_data, metadata_settings] diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index b2f4eb64..5043aed8 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -132,3 +132,5 @@ outputs: - name: Stop and disable heat_api service tags: step2 service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [HeatBase, role_data, metadata_settings] diff --git a/docker/services/heat-engine.yaml b/docker/services/heat-engine.yaml index 8c554a50..0adad538 100644 --- a/docker/services/heat-engine.yaml +++ b/docker/services/heat-engine.yaml @@ -94,13 +94,14 @@ outputs: net: host privileged: false detach: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro - /var/log/containers/heat:/var/log/heat - command: ['heat-manage', 'db_sync'] + command: "/usr/bin/bootstrap_host_exec heat_engine su heat -s /bin/bash -c 'heat-manage db_sync'" step_4: heat_engine: image: *heat_engine_image diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 300aa0bd..c8978aa2 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -100,13 +100,14 @@ outputs: net: host privileged: false detach: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/ironic/etc/:/etc/:ro - /var/log/containers/ironic:/var/log/ironic - command: ['ironic-dbsync', '--config-file', '/etc/ironic/ironic.conf'] + command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'" step_4: ironic_api: start_order: 10 diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index ca643749..772859ee 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -131,8 +131,9 @@ outputs: environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start'] keystone: - start_order: 1 + start_order: 2 image: *keystone_image net: host privileged: false @@ -141,10 +142,10 @@ outputs: environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS keystone_bootstrap: - start_order: 2 + start_order: 3 action: exec command: - [ 'keystone', 'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] + [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ] docker_puppet_tasks: # Keystone endpoint creation occurs only on single node step_3: diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index 3b256fdd..5586d41b 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -100,19 +100,21 @@ outputs: net: host privileged: false detach: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/mistral/etc/:/etc/:ro - /var/log/containers/mistral:/var/log/mistral - command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'upgrade', 'head'] + command: "/usr/bin/bootstrap_host_exec mistral_api su mistral -s /bin/bash -c 'mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head'" mistral_db_populate: start_order: 2 image: *mistral_image net: host privileged: false detach: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -121,7 +123,7 @@ outputs: - /var/log/containers/mistral:/var/log/mistral # NOTE: dprince this requires that we install openstack-tripleo-common into # the Mistral API image so that we get tripleo* actions - command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'populate'] + command: "/usr/bin/bootstrap_host_exec mistral_api su mistral -s /bin/bash -c 'mistral-db-manage --config-file /etc/mistral/mistral.conf populate'" step_4: mistral_api: start_order: 15 diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml index 748371d5..7ce47a14 100644 --- a/docker/services/neutron-api.yaml +++ b/docker/services/neutron-api.yaml @@ -110,8 +110,6 @@ outputs: net: host privileged: false detach: false - # FIXME: we should make config file permissions right - # and run as neutron user user: root volumes: list_concat: @@ -120,7 +118,10 @@ outputs: - /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro - /var/lib/config-data/neutron/usr/share/neutron:/usr/share/neutron:ro - /var/log/containers/neutron:/var/log/neutron - command: ['neutron-db-manage', 'upgrade', 'heads'] + command: ['/usr/bin/bootstrap_host_exec', 'neutron_api', 'neutron-db-manage', 'upgrade', 'heads'] + # FIXME: we should make config file permissions right + # and run as neutron user + #command: "/usr/bin/bootstrap_host_exec neutron_api su neutron -s /bin/bash -c 'neutron-db-manage upgrade heads'" step_4: map_merge: - neutron_api: @@ -164,3 +165,5 @@ outputs: - name: Stop and disable neutron_api service tags: step2 service: name=neutron-server state=stopped enabled=no + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml new file mode 100644 index 00000000..88b2ca5c --- /dev/null +++ b/docker/services/neutron-metadata.yaml @@ -0,0 +1,110 @@ +heat_template_version: pike + +description: > + OpenStack containerized Neutron Metadata agent + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerNeutronMetadataImage: + description: image + default: 'centos-binary-neutron-metadata-agent:latest' + type: string + # we configure all neutron services in the same neutron + DockerNeutronConfigImage: + description: image + default: 'centos-binary-neutron-server:latest' + type: string + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + NeutronMetadataBase: + type: ../../puppet/services/neutron-metadata.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for Neutron Metadata agent + value: + service_name: {get_attr: [NeutronMetadataBase, role_data, service_name]} + config_settings: {get_attr: [NeutronMetadataBase, role_data, config_settings]} + step_config: &step_config + get_attr: [NeutronMetadataBase, role_data, step_config] + puppet_config: + puppet_tags: neutron_config,neutron_metadata_agent_config + config_volume: neutron + step_config: *step_config + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] + kolla_config: + /var/lib/kolla/config_files/neutron-metadata-agent.json: + command: /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true + docker_config: + step_4: + neutron_metadata_agent: + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronMetadataImage} ] + net: host + pid: host + privileged: true + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron-metadata-agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/log/containers/neutron:/var/log/neutron + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_metadata service + tags: step2 + service: name=neutron-metadata-agent state=stopped enabled=no diff --git a/docker/services/neutron-plugin-ml2.yaml b/docker/services/neutron-plugin-ml2.yaml index 2e5384ea..1739a5b9 100644 --- a/docker/services/neutron-plugin-ml2.yaml +++ b/docker/services/neutron-plugin-ml2.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Neutron ML2 Plugin configured with Puppet diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index d571b21b..2375dada 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -103,6 +103,7 @@ outputs: image: *nova_api_image net: host detach: false + user: root volumes: &nova_api_volumes list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -110,7 +111,7 @@ outputs: - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /var/log/containers/nova:/var/log/nova - command: ['/usr/bin/nova-manage', 'api_db', 'sync'] + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage api_db sync'" # FIXME: we probably want to wait on the 'cell_v2 update' in order for this # to be capable of upgrading a baremetal setup. This is to ensure the name # of the cell is 'default' @@ -119,11 +120,9 @@ outputs: image: *nova_api_image net: host detach: false + user: root volumes: *nova_api_volumes - command: - - '/usr/bin/nova-manage' - - 'cell_v2' - - 'map_cell0' + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 map_cell0'" nova_api_create_default_cell: start_order: 3 image: *nova_api_image @@ -134,18 +133,16 @@ outputs: # this idempotent (if the resource already exists a conflict # is raised) exit_codes: [0,2] - command: - - '/usr/bin/nova-manage' - - 'cell_v2' - - 'create_cell' - - '--name="default"' + user: root + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 create_cell --name=default'" nova_db_sync: start_order: 4 image: *nova_api_image net: host detach: false volumes: *nova_api_volumes - command: ['/usr/bin/nova-manage', 'db', 'sync'] + user: root + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage db sync'" step_4: nova_api: start_order: 2 @@ -164,10 +161,8 @@ outputs: net: host detach: false volumes: *nova_api_volumes - command: - - '/usr/bin/nova-manage' - - 'cell_v2' - - 'discover_hosts' + user: root + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 discover_hosts'" host_prep_tasks: - name: create persistent logs directory file: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index ebf0da7d..9779d676 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -18,6 +18,10 @@ parameters: description: image default: 'centos-binary-nova-compute:latest' type: string + EnablePackageInstall: + default: 'false' + description: Set to true to enable package installation + type: boolean ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -112,6 +116,7 @@ outputs: - /var/run/libvirt:/var/run/libvirt - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu + - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -124,6 +129,22 @@ outputs: - /etc/libvirt/qemu - /var/lib/libvirt - /var/log/containers/nova + - name: set enable_package_install fact + set_fact: + enable_package_install: {get_param: EnablePackageInstall} + # We use virtlogd on host, so when using Deployed Server + # feature, we need to ensure libvirt is installed. + - name: install libvirt-daemon + package: + name: libvirt-daemon + state: present + when: enable_package_install + - name: start virtlogd socket + service: + name: virtlogd.socket + state: started + enabled: yes + when: enable_package_install upgrade_tasks: - name: Stop and disable libvirtd service tags: step2 diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml index 2aebbb2f..e158d3bc 100644 --- a/docker/services/nova-metadata.yaml +++ b/docker/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Metadata service diff --git a/docker/services/pacemaker/clustercheck.yaml b/docker/services/pacemaker/clustercheck.yaml new file mode 100644 index 00000000..bad2acf6 --- /dev/null +++ b/docker/services/pacemaker/clustercheck.yaml @@ -0,0 +1,103 @@ +heat_template_version: pike + +description: > + MySQL HA clustercheck service deployment using puppet + This service is used by HAProxy in a HA scenario to report whether + the local galera node is synced + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerClustercheckImage: + description: image + default: 'centos-binary-mariadb:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ../containers-common.yaml + + MysqlPuppetBase: + type: ../../../puppet/services/pacemaker/database/mysql.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Containerized service clustercheck using composable services. + value: + service_name: clustercheck + config_settings: {get_attr: [MysqlPuppetBase, role_data, config_settings]} + step_config: "include ::tripleo::profile::pacemaker::clustercheck" + # BEGIN DOCKER SETTINGS # + puppet_config: + config_volume: clustercheck + puppet_tags: file # set this even though file is the default + step_config: "include ::tripleo::profile::pacemaker::clustercheck" + config_image: &clustercheck_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerClustercheckImage} ] + kolla_config: + /var/lib/kolla/config_files/clustercheck.json: + command: /usr/sbin/xinetd -dontfork + config_files: + - dest: /etc/xinetd.conf + source: /var/lib/kolla/config_files/src/etc/xinetd.conf + owner: mysql + perm: '0644' + - dest: /etc/xinetd.d/galera-monitor + source: /var/lib/kolla/config_files/src/etc/xinetd.d/galera-monitor + owner: mysql + perm: '0644' + - dest: /etc/sysconfig/clustercheck + source: /var/lib/kolla/config_files/src/etc/sysconfig/clustercheck + owner: mysql + perm: '0600' + docker_config: + step_2: + clustercheck: + start_order: 1 + image: *clustercheck_image + restart: always + net: host + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/clustercheck.json:/var/lib/kolla/config_files/config.json + - /var/lib/config-data/clustercheck/:/var/lib/kolla/config_files/src:ro + - /var/lib/mysql:/var/lib/mysql + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + upgrade_tasks: diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml new file mode 100644 index 00000000..d64845f2 --- /dev/null +++ b/docker/services/pacemaker/database/mysql.yaml @@ -0,0 +1,180 @@ +heat_template_version: pike + +description: > + MySQL service deployment with pacemaker bundle + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerMysqlImage: + description: image + default: 'centos-binary-mariadb:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + MysqlRootPassword: + type: string + hidden: true + default: '' + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ../../containers-common.yaml + + MysqlPuppetBase: + type: ../../../../puppet/services/pacemaker/database/mysql.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Containerized service MySQL using composable services. + value: + service_name: {get_attr: [MysqlPuppetBase, role_data, service_name]} + config_settings: + map_merge: + - {get_attr: [MysqlPuppetBase, role_data, config_settings]} + - tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image: &mysql_image + list_join: + - '/' + - - {get_param: DockerNamespace} + - {get_param: DockerMysqlImage} + step_config: "" + # BEGIN DOCKER SETTINGS # + puppet_config: + config_volume: mysql + puppet_tags: file # set this even though file is the default + step_config: + list_join: + - "\n" + - - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }" + - "exec {'wait-for-settle': command => '/bin/true' }" + - "include ::tripleo::profile::pacemaker::database::mysql_bundle" + config_image: *mysql_image + kolla_config: + /var/lib/kolla/config_files/mysql.json: + command: /usr/sbin/pacemaker_remoted + config_files: + - dest: /etc/libqb/force-filesystem-sockets + source: /dev/null + owner: root + perm: '0644' + - dest: /etc/my.cnf + source: /var/lib/kolla/config_files/src/etc/my.cnf + owner: mysql + perm: '0644' + - dest: /etc/my.cnf.d/galera.cnf + source: /var/lib/kolla/config_files/src/etc/my.cnf.d/galera.cnf + owner: mysql + perm: '0644' + - dest: /etc/sysconfig/clustercheck + source: /var/lib/kolla/config_files/src/etc/sysconfig/clustercheck + owner: root + perm: '0600' + docker_config: + step_1: + mysql_data_ownership: + start_order: 0 + detach: false + image: *mysql_image + net: host + user: root + # Kolla does only non-recursive chown + command: ['chown', '-R', 'mysql:', '/var/lib/mysql'] + volumes: + - /var/lib/mysql:/var/lib/mysql + mysql_bootstrap: + start_order: 1 + detach: false + image: *mysql_image + net: host + # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done + command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start'] + volumes: &mysql_volumes + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json + - /var/lib/config-data/mysql/:/var/lib/kolla/config_files/src:ro + - /var/lib/mysql:/var/lib/mysql + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - KOLLA_BOOTSTRAP=True + # NOTE(mandre) skip wsrep cluster status check + - KOLLA_KUBERNETES=True + - + list_join: + - '=' + - - 'DB_ROOT_PASSWORD' + - + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: MysqlRootPassword} + - {get_param: [DefaultPasswords, mysql_root_password]} + step_2: + mysql_init_bundle: + start_order: 1 + detach: false + net: host + user: root + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation,galera_ready,mysql_database,mysql_grant,mysql_user' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::mysql_bundle' + image: *mysql_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + - /var/lib/config-data/mysql/etc/my.cnf:/etc/my.cnf:ro + - /var/lib/config-data/mysql/etc/my.cnf.d:/etc/my.cnf.d:ro + - /var/lib/mysql:/var/lib/mysql:rw + host_prep_tasks: + - name: create /var/lib/mysql + file: + path: /var/lib/mysql + state: directory + upgrade_tasks: + - name: Stop and disable mysql service + tags: step2 + service: name=mariadb state=stopped enabled=no diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml new file mode 100644 index 00000000..ef27f7e9 --- /dev/null +++ b/docker/services/pacemaker/database/redis.yaml @@ -0,0 +1,140 @@ +heat_template_version: pike + +description: > + OpenStack containerized Redis services + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerRedisImage: + description: image + default: 'centos-binary-redis:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + RedisBase: + type: ../../../../puppet/services/database/redis.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Redis API role. + value: + service_name: {get_attr: [RedisBase, role_data, service_name]} + config_settings: + map_merge: + - {get_attr: [RedisBase, role_data, config_settings]} + - redis::service_manage: false + redis::notify_service: false + redis::managed_by_cluster_manager: true + tripleo::profile::pacemaker::database::redis_bundle::redis_docker_image: &redis_image + list_join: + - '/' + - - {get_param: DockerNamespace} + - {get_param: DockerRedisImage} + + step_config: "" + service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: 'redis' + # NOTE: we need the exec tag to copy /etc/redis.conf.puppet to + # /etc/redis.conf + # https://github.com/arioch/puppet-redis/commit/1c004143223e660cbd433422ff8194508aab9763 + puppet_tags: 'exec' + step_config: + get_attr: [RedisBase, role_data, step_config] + config_image: *redis_image + kolla_config: + /var/lib/kolla/config_files/redis.json: + command: /usr/sbin/pacemaker_remoted + config_files: + - dest: /etc/libqb/force-filesystem-sockets + source: /dev/null + owner: root + perm: '0644' + permissions: + - path: /var/run/redis + owner: redis:redis + recurse: true + - path: /var/lib/redis + owner: redis:redis + recurse: true + - path: /var/log/redis + owner: redis:redis + recurse: true + docker_config: + step_2: + redis_init_bundle: + start_order: 2 + detach: false + net: host + user: root + config_volume: 'redis_init_bundle' + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle' + image: *redis_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + host_prep_tasks: + - name: create /var/run/redis + file: + path: /var/run/redis + state: directory + - name: create /var/log/redis + file: + path: /var/log/redis + state: directory + - name: create /var/lib/redis + file: + path: /var/lib/redis + state: directory + upgrade_tasks: + - name: Stop and disable redis service + tags: step2 + service: name=redis state=stopped enabled=no diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml new file mode 100644 index 00000000..ae19652e --- /dev/null +++ b/docker/services/pacemaker/haproxy.yaml @@ -0,0 +1,116 @@ +heat_template_version: pike + +description: > + OpenStack containerized HAproxy service for pacemaker + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerHAProxyImage: + description: image + default: 'centos-binary-haproxy:latest' + type: string + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + HAProxyBase: + type: ../../../puppet/services/pacemaker/haproxy.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the HAproxy role. + value: + service_name: {get_attr: [HAProxyBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [HAProxyBase, role_data, config_settings] + - tripleo::haproxy::haproxy_daemon: false + haproxy_docker: true + tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyImage} ] + step_config: + list_join: + - "\n" + - - &noop_pcmk "['pcmk_bundle', 'pcmk_resource', 'pcmk_property', 'pcmk_constraint', 'pcmk_resource_default'].each |String $val| { noop_resource($val) }" + - 'include ::tripleo::profile::pacemaker::haproxy_bundle' + service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: haproxy + puppet_tags: haproxy_config + step_config: + list_join: + - "\n" + - - "exec {'wait-for-settle': command => '/bin/true' }" + - &noop_firewall "class tripleo::firewall(){}; define tripleo::firewall::rule( $port = undef, $dport = undef, $sport = undef, $proto = undef, $action = undef, $state = undef, $source = undef, $iniface = undef, $chain = undef, $destination = undef, $extras = undef){}" + - *noop_pcmk + - 'include ::tripleo::profile::pacemaker::haproxy_bundle' + config_image: *haproxy_image + kolla_config: + /var/lib/kolla/config_files/haproxy.json: + command: haproxy -f /etc/haproxy/haproxy.cfg + docker_config: + step_2: + haproxy_init_bundle: + start_order: 3 + detach: false + net: host + user: root + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: + list_join: + - ';' + - - *noop_firewall + - 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::haproxy_bundle' + image: *haproxy_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + metadata_settings: + get_attr: [HAProxyBase, role_data, metadata_settings] diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml new file mode 100644 index 00000000..7f6ac701 --- /dev/null +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -0,0 +1,159 @@ +heat_template_version: pike + +description: > + OpenStack containerized Rabbitmq service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerRabbitmqImage: + description: image + default: 'centos-binary-rabbitmq:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RabbitCookie: + type: string + default: '' + hidden: true + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + RabbitmqBase: + type: ../../../puppet/services/rabbitmq.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Rabbitmq API role. + value: + service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + config_settings: + map_merge: + - {get_attr: [RabbitmqBase, role_data, config_settings]} + - rabbitmq::service_manage: false + tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image: &rabbitmq_image + list_join: + - '/' + - - {get_param: DockerNamespace} + - {get_param: DockerRabbitmqImage} + step_config: &step_config + get_attr: [RabbitmqBase, role_data, step_config] + service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: rabbitmq + puppet_tags: file + step_config: *step_config + config_image: *rabbitmq_image + kolla_config: + /var/lib/kolla/config_files/rabbitmq.json: + command: /usr/sbin/pacemaker_remoted + config_files: + - dest: /etc/libqb/force-filesystem-sockets + source: /dev/null + owner: root + perm: '0644' + permissions: + - path: /var/lib/rabbitmq + owner: rabbitmq:rabbitmq + recurse: true + - path: /var/log/rabbitmq + owner: rabbitmq:rabbitmq + recurse: true + # When using pacemaker we don't launch the container, instead that is done by pacemaker + # itself. + docker_config: + step_1: + rabbitmq_bootstrap: + start_order: 0 + image: *rabbitmq_image + net: host + privileged: false + volumes: + - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/rabbitmq/etc/rabbitmq:/etc/rabbitmq:ro + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /var/lib/rabbitmq:/var/lib/rabbitmq + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - KOLLA_BOOTSTRAP=True + - + list_join: + - '=' + - - 'RABBITMQ_CLUSTER_COOKIE' + - + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: RabbitCookie} + - {get_param: [DefaultPasswords, rabbit_cookie]} + step_2: + rabbitmq_init_bundle: + start_order: 0 + detach: false + net: host + user: root + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::rabbitmq_bundle' + image: *rabbitmq_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + host_prep_tasks: + - name: create /var/lib/rabbitmq + file: + path: /var/lib/rabbitmq + state: directory + - name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container + shell: | + echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf + echo 'export ERL_EPMD_PORT=4370' >> /etc/rabbitmq/rabbitmq-env.conf + for pid in $(pgrep epmd); do if [ "$(lsns -o NS -p $pid)" == "$(lsns -o NS -p 1)" ]; then kill $pid; break; fi; done + upgrade_tasks: + - name: Stop and disable rabbitmq service + tags: step2 + service: name=rabbitmq-server state=stopped enabled=no diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml index 46cfa5ab..b9e6e93a 100644 --- a/docker/services/panko-api.yaml +++ b/docker/services/panko-api.yaml @@ -101,13 +101,14 @@ outputs: net: host detach: false privileged: false + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/panko/etc/panko:/etc/panko:ro - /var/log/containers/panko:/var/log/panko - command: /usr/bin/panko-dbsync + command: "/usr/bin/bootstrap_host_exec panko_api su panko -s /bin/bash -c '/usr/bin/panko-dbsync'" step_4: panko_api: start_order: 2 diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 15f1bf02..2ad3b63d 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Utility stack to convert an array of services into a set of combined diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 60972f91..04c4ba1e 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -135,3 +135,5 @@ outputs: - name: Stop and disable swift_proxy service tags: step2 service: name=openstack-swift-proxy state=stopped enabled=no + metadata_settings: + get_attr: [SwiftProxyBase, role_data, metadata_settings] diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index 9ced8f27..bfd445d0 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Ringbuilder |