7 files changed, 29 insertions, 2 deletions

diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml
index 25390c63..336b4540 100644
--- a/docker/services/cinder-api.yaml
+++ b/docker/services/cinder-api.yaml
@@ -200,6 +200,7 @@ outputs:
           tags: step2
           service: name=httpd state=stopped enabled=no
         - name: remove old cinder cron jobs
+          tags: step2
           file:
             path: /var/spool/cron/cinder
             state: absent
diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml
index 1a6f5c77..b4336bea 100644
--- a/docker/services/glance-api.yaml
+++ b/docker/services/glance-api.yaml
@@ -39,6 +39,13 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  GlanceBackend:
+    default: swift
+    description: The short name of the Glance backend to use. Should be one
+      of swift, rbd, cinder, or file
+    type: string
+    constraints:
+    - allowed_values: ['swift', 'file', 'rbd', 'cinder']
   GlanceNfsEnabled:
     default: false
     description: >
@@ -63,6 +70,7 @@ conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   nfs_backend_enabled: {equals: [{get_param: GlanceNfsEnabled}, true]}
+  cinder_backend_enabled: {equals: [{get_param: GlanceBackend}, cinder]}
 
 
 resources:
@@ -161,6 +169,12 @@ outputs:
                       - nfs_backend_enabled
                       - /var/lib/glance:/var/lib/glance
                       - ''
+                -
+                  if:
+                    - cinder_backend_enabled
+                    - - /dev:/dev
+                      - /etc/iscsi:/etc/iscsi
+                    - []
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
@@ -171,7 +185,7 @@ outputs:
                 start_order: 2
                 image: *glance_api_image
                 net: host
-                privileged: false
+                privileged: {if: [cinder_backend_enabled, true, false]}
                 restart: always
                 volumes: *glance_volumes
                 environment:
diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml
index 75d0b8c1..dcba519f 100644
--- a/docker/services/heat-api.yaml
+++ b/docker/services/heat-api.yaml
@@ -166,6 +166,7 @@ outputs:
           ignore_errors: True
           register: heat_api_enabled
         - name: remove old heat cron jobs
+          tags: step2
           file:
             path: /var/spool/cron/heat
             state: absent
diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml
index 2c7d7a74..94fd9eef 100644
--- a/docker/services/horizon.yaml
+++ b/docker/services/horizon.yaml
@@ -95,6 +95,12 @@ outputs:
             - path: /var/log/horizon/
               owner: apache:apache
               recurse: true
+            # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
+            # horizon:horizon - the policy.json files need read permissions for the apache user
+            # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
+            - path: /etc/openstack-dashboard/
+              owner: apache:apache
+              recurse: true
             # FIXME Apache tries to write a .lock file there
             - path: /usr/share/openstack-dashboard/openstack_dashboard/local/
               owner: apache:apache
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 26cef614..a8ba5bf1 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -211,6 +211,7 @@ outputs:
           tags: step2
           service: name=httpd state=stopped enabled=no
         - name: remove old keystone cron jobs
+          tags: step2
           file:
             path: /var/spool/cron/keystone
             state: absent
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index f262bcb1..7f1b7a54 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -246,6 +246,7 @@ outputs:
           ignore_errors: True
           when: {get_param: UpgradeRemoveUnusedPackages}
         - name: remove old nova cron jobs
+          tags: step2
           file:
             path: /var/spool/cron/nova
             state: absent
diff --git a/docker/services/pacemaker/clustercheck.yaml b/docker/services/pacemaker/clustercheck.yaml
index b5d128d4..6db8a212 100644
--- a/docker/services/pacemaker/clustercheck.yaml
+++ b/docker/services/pacemaker/clustercheck.yaml
@@ -44,8 +44,11 @@ resources:
   ContainersCommon:
     type: ../containers-common.yaml
 
+# We import from the corresponding docker service because otherwise we risk
+# rewriting the tripleo.mysql.firewall_rules key with the baremetal firewall
+# rules (see LP#1728918)
   MysqlPuppetBase:
-    type: ../../../puppet/services/pacemaker/database/mysql.yaml
+    type: ../../../docker/services/pacemaker/database/mysql.yaml
     properties:
       EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}