diff options
Diffstat (limited to 'docker')
55 files changed, 3946 insertions, 1393 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 157bf63f..49dd00cd 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -19,12 +19,20 @@ # inside of a container. import json +import logging import os import subprocess import sys import tempfile import multiprocessing +log = logging.getLogger() +log.setLevel(logging.DEBUG) +ch = logging.StreamHandler(sys.stdout) +ch.setLevel(logging.DEBUG) +formatter = logging.Formatter('%(asctime)s %(levelname)s: %(message)s') +ch.setFormatter(formatter) +log.addHandler(ch) # this is to match what we do in deployed-server def short_hostname(): @@ -36,39 +44,47 @@ def short_hostname(): def pull_image(name): - print('Pulling image: %s' % name) + log.info('Pulling image: %s' % name) subproc = subprocess.Popen(['/usr/bin/docker', 'pull', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) cmd_stdout, cmd_stderr = subproc.communicate() - print(cmd_stdout) - print(cmd_stderr) + if cmd_stdout: + log.debug(cmd_stdout) + if cmd_stderr: + log.debug(cmd_stderr) def rm_container(name): if os.environ.get('SHOW_DIFF', None): - print('Diffing container: %s' % name) + log.info('Diffing container: %s' % name) subproc = subprocess.Popen(['/usr/bin/docker', 'diff', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) cmd_stdout, cmd_stderr = subproc.communicate() - print(cmd_stdout) - print(cmd_stderr) + if cmd_stdout: + log.debug(cmd_stdout) + if cmd_stderr: + log.debug(cmd_stderr) - print('Removing container: %s' % name) + log.info('Removing container: %s' % name) subproc = subprocess.Popen(['/usr/bin/docker', 'rm', name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) cmd_stdout, cmd_stderr = subproc.communicate() - print(cmd_stdout) - print(cmd_stderr) + if cmd_stdout: + log.debug(cmd_stdout) + if cmd_stderr and \ + cmd_stderr != 'Error response from daemon: ' \ + 'No such container: {}\n'.format(name): + log.debug(cmd_stderr) process_count = int(os.environ.get('PROCESS_COUNT', multiprocessing.cpu_count())) +log.info('Running docker-puppet') config_file = os.environ.get('CONFIG', '/var/lib/docker-puppet/docker-puppet.json') -print('docker-puppet') -print('CONFIG: %s' % config_file) +log.debug('CONFIG: %s' % config_file) with open(config_file) as f: json_data = json.load(f) @@ -105,16 +121,15 @@ for service in (json_data or []): if not manifest or not config_image: continue - print('---------') - print('config_volume %s' % config_volume) - print('puppet_tags %s' % puppet_tags) - print('manifest %s' % manifest) - print('config_image %s' % config_image) - print('volumes %s' % volumes) + log.debug('config_volume %s' % config_volume) + log.debug('puppet_tags %s' % puppet_tags) + log.debug('manifest %s' % manifest) + log.debug('config_image %s' % config_image) + log.debug('volumes %s' % volumes) # We key off of config volume for all configs. if config_volume in configs: # Append puppet tags and manifest. - print("Existing service, appending puppet tags and manifest\n") + log.info("Existing service, appending puppet tags and manifest") if puppet_tags: configs[config_volume][1] = '%s,%s' % (configs[config_volume][1], puppet_tags) @@ -122,24 +137,22 @@ for service in (json_data or []): configs[config_volume][2] = '%s\n%s' % (configs[config_volume][2], manifest) if configs[config_volume][3] != config_image: - print("WARNING: Config containers do not match even though" - " shared volumes are the same!\n") + log.warn("Config containers do not match even though" + " shared volumes are the same!") else: - print("Adding new service\n") + log.info("Adding new service") configs[config_volume] = service -print('Service compilation completed.\n') +log.info('Service compilation completed.') def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volumes)): - print('---------') - print('config_volume %s' % config_volume) - print('puppet_tags %s' % puppet_tags) - print('manifest %s' % manifest) - print('config_image %s' % config_image) - print('volumes %s' % volumes) - hostname = short_hostname() - sh_script = '/var/lib/docker-puppet/docker-puppet-%s.sh' % config_volume + log.debug('config_volume %s' % config_volume) + log.debug('puppet_tags %s' % puppet_tags) + log.debug('manifest %s' % manifest) + log.debug('config_image %s' % config_image) + log.debug('volumes %s' % volumes) + sh_script = '/var/lib/docker-puppet/docker-puppet.sh' with open(sh_script, 'w') as script_file: os.chmod(script_file.name, 0755) @@ -148,43 +161,40 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume mkdir -p /etc/puppet cp -a /tmp/puppet-etc/* /etc/puppet rm -Rf /etc/puppet/ssl # not in use and causes permission errors - echo '{"step": %(step)s}' > /etc/puppet/hieradata/docker.json + echo "{\\"step\\": $STEP}" > /etc/puppet/hieradata/docker.json TAGS="" - if [ -n "%(puppet_tags)s" ]; then - TAGS='--tags "%(puppet_tags)s"' + if [ -n "$PUPPET_TAGS" ]; then + TAGS="--tags \"$PUPPET_TAGS\"" fi - FACTER_hostname=%(hostname)s FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp + FACTER_hostname=$HOSTNAME FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp # Disables archiving - if [ -z "%(no_archive)s" ]; then - rm -Rf /var/lib/config-data/%(name)s + if [ -z "$NO_ARCHIVE" ]; then + rm -Rf /var/lib/config-data/${NAME} # copying etc should be enough for most services - mkdir -p /var/lib/config-data/%(name)s/etc - cp -a /etc/* /var/lib/config-data/%(name)s/etc/ + mkdir -p /var/lib/config-data/${NAME}/etc + cp -a /etc/* /var/lib/config-data/${NAME}/etc/ if [ -d /root/ ]; then - cp -a /root/ /var/lib/config-data/%(name)s/root/ + cp -a /root/ /var/lib/config-data/${NAME}/root/ fi if [ -d /var/lib/ironic/tftpboot/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ - cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/tftpboot/ + mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/ + cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/tftpboot/ fi if [ -d /var/lib/ironic/httpboot/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/ - cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/httpboot/ + mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/ + cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/httpboot/ fi # apache services may files placed in /var/www/ if [ -d /var/www/ ]; then - mkdir -p /var/lib/config-data/%(name)s/var/www - cp -a /var/www/* /var/lib/config-data/%(name)s/var/www/ + mkdir -p /var/lib/config-data/${NAME}/var/www + cp -a /var/www/* /var/lib/config-data/${NAME}/var/www/ fi fi - """ % {'puppet_tags': puppet_tags, 'name': config_volume, - 'hostname': hostname, - 'no_archive': os.environ.get('NO_ARCHIVE', ''), - 'step': os.environ.get('STEP', '6')}) + """) with tempfile.NamedTemporaryFile() as tmp_man: with open(tmp_man.name, 'w') as man_file: @@ -197,33 +207,55 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume dcmd = ['/usr/bin/docker', 'run', '--user', 'root', '--name', 'docker-puppet-%s' % config_volume, + '--env', 'PUPPET_TAGS=%s' % puppet_tags, + '--env', 'NAME=%s' % config_volume, + '--env', 'HOSTNAME=%s' % short_hostname(), + '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''), + '--env', 'STEP=%s' % os.environ.get('STEP', '6'), '--volume', '%s:/etc/config.pp:ro' % tmp_man.name, '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', '--volume', 'tripleo_logs:/var/log/tripleo/', + # OpenSSL trusted CA injection + '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', + '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', + # script injection '--volume', '%s:%s:rw' % (sh_script, sh_script) ] for volume in volumes: - dcmd.extend(['--volume', volume]) + if volume: + dcmd.extend(['--volume', volume]) dcmd.extend(['--entrypoint', sh_script]) env = {} + # NOTE(flaper87): Always copy the DOCKER_* environment variables as + # they contain the access data for the docker daemon. + for k in filter(lambda k: k.startswith('DOCKER'), os.environ.keys()): + env[k] = os.environ.get(k) + if os.environ.get('NET_HOST', 'false') == 'true': - print('NET_HOST enabled') + log.debug('NET_HOST enabled') dcmd.extend(['--net', 'host', '--volume', '/etc/hosts:/etc/hosts:ro']) dcmd.append(config_image) + log.debug('Running docker command: %s' % ' '.join(dcmd)) subproc = subprocess.Popen(dcmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env) cmd_stdout, cmd_stderr = subproc.communicate() - print(cmd_stdout) - print(cmd_stderr) + if cmd_stdout: + log.debug(cmd_stdout) + if cmd_stderr: + log.debug(cmd_stderr) if subproc.returncode != 0: - print('Failed running docker-puppet.py for %s' % config_volume) - rm_container('docker-puppet-%s' % config_volume) + log.error('Failed running docker-puppet.py for %s' % config_volume) + else: + # only delete successful runs, for debugging + rm_container('docker-puppet-%s' % config_volume) return subproc.returncode # Holds all the information for each process to consume. @@ -241,16 +273,25 @@ for config_volume in configs: volumes = service[4] if len(service) > 4 else [] if puppet_tags: - puppet_tags = "file,file_line,concat,%s" % puppet_tags + puppet_tags = "file,file_line,concat,augeas,%s" % puppet_tags else: - puppet_tags = "file,file_line,concat" + puppet_tags = "file,file_line,concat,augeas" process_map.append([config_volume, puppet_tags, manifest, config_image, volumes]) for p in process_map: - print '--\n%s' % p + log.debug('- %s' % p) # Fire off processes to perform each configuration. Defaults # to the number of CPUs on the system. p = multiprocessing.Pool(process_count) -p.map(mp_puppet_config, process_map) +returncodes = list(p.map(mp_puppet_config, process_map)) +config_volumes = [pm[0] for pm in process_map] +success = True +for returncode, config_volume in zip(returncodes, config_volumes): + if returncode != 0: + log.error('ERROR configuring %s' % config_volume) + success = False + +if not success: + sys.exit(1) diff --git a/docker/docker-steps.j2 b/docker/docker-steps.j2 new file mode 100644 index 00000000..d380191d --- /dev/null +++ b/docker/docker-steps.j2 @@ -0,0 +1,356 @@ +# certain initialization steps (run in a container) will occur +# on the role marked as primary controller or the first role listed +{%- set primary_role = [roles[0]] -%} +{%- for role in roles -%} + {%- if 'primary' in role.tags and 'controller' in role.tags -%} + {%- set _ = primary_role.pop() -%} + {%- set _ = primary_role.append(role) -%} + {%- endif -%} +{%- endfor -%} +{%- set primary_role_name = primary_role[0].name -%} +# primary role is: {{primary_role_name}} +{% set deploy_steps_max = 6 -%} + +heat_template_version: pike + +description: > + Post-deploy configuration steps via puppet for all roles, + as defined in ../roles_data.yaml + +parameters: + servers: + type: json + description: Mapping of Role name e.g Controller to a list of servers + role_data: + type: json + description: Mapping of Role name e.g Controller to the per-role data + DeployIdentifier: + default: '' + type: string + description: > + Setting this to a unique value will re-run any deployment tasks which + perform configuration on a Heat stack-update. + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + + # These utility tasks use docker-puppet.py to execute tasks via puppet + # We only execute these on the first node in the primary role + {{primary_role_name}}DockerPuppetTasks: + type: OS::Heat::Value + properties: + type: json + value: + yaql: + expression: + $.data.default_tasks + dict($.data.docker_puppet_tasks.where($1 != null).selectMany($.items()).groupBy($[0], $[1])) + data: + docker_puppet_tasks: {get_param: [role_data, {{primary_role_name}}, docker_puppet_tasks]} + default_tasks: +{%- for step in range(1, deploy_steps_max) %} + step_{{step}}: {} +{%- endfor %} + +# BEGIN primary_role_name docker-puppet-tasks (run only on a single node) +{% for step in range(1, deploy_steps_max) %} + + {{primary_role_name}}DockerPuppetJsonConfig{{step}}: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + /var/lib/docker-puppet/docker-puppet-tasks{{step}}.json: + {get_attr: [{{primary_role_name}}DockerPuppetTasks, value, 'step_{{step}}']} + + {{primary_role_name}}DockerPuppetJsonDeployment{{step}}: + type: OS::Heat::SoftwareDeployment + properties: + server: {get_param: [servers, {{primary_role_name}}, '0']} + config: {get_resource: {{primary_role_name}}DockerPuppetJsonConfig{{step}}} + + {{primary_role_name}}DockerPuppetTasksConfig{{step}}: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: docker-puppet.py} + inputs: + - name: CONFIG + - name: NET_HOST + - name: NO_ARCHIVE + - name: STEP + + {{primary_role_name}}DockerPuppetTasksDeployment{{step}}: + type: OS::Heat::SoftwareDeployment + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step{{step}} + - {{dep.name}}ContainersDeployment_Step{{step}} + {% endfor %} + - {{primary_role_name}}DockerPuppetJsonDeployment{{step}} + properties: + name: {{primary_role_name}}DockerPuppetJsonDeployment{{step}} + server: {get_param: [servers, {{primary_role_name}}, '0']} + config: {get_resource: {{primary_role_name}}DockerPuppetTasksConfig{{step}}} + input_values: + CONFIG: /var/lib/docker-puppet/docker-puppet-tasks{{step}}.json + NET_HOST: 'true' + NO_ARCHIVE: 'true' + STEP: {{step}} + +{% endfor %} +# END primary_role_name docker-puppet-tasks + +{% for role in roles %} + # Post deployment steps for all roles + # A single config is re-applied with an incrementing step number + # {{role.name}} Role steps + {{role.name}}ArtifactsConfig: + type: ../puppet/deploy-artifacts.yaml + + {{role.name}}ArtifactsDeploy: + type: OS::Heat::StructuredDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}ArtifactsConfig} + + {{role.name}}PreConfig: + type: OS::TripleO::Tasks::{{role.name}}PreConfig + properties: + servers: {get_param: [servers, {{role.name}}]} + input_values: + update_identifier: {get_param: DeployIdentifier} + + {{role.name}}CreateConfigDir: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: create-config-dir.sh} + + {{role.name}}CreateConfigDirDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}CreateConfigDir} + + {{role.name}}HostPrepAnsible: + type: OS::Heat::Value + properties: + value: + str_replace: + template: CONFIG + params: + CONFIG: + - hosts: localhost + connection: local + tasks: {get_param: [role_data, {{role.name}}, host_prep_tasks]} + + {{role.name}}HostPrepConfig: + type: OS::Heat::SoftwareConfig + properties: + group: ansible + options: + modulepath: /usr/share/ansible-modules + config: {get_attr: [{{role.name}}HostPrepAnsible, value]} + + {{role.name}}HostPrepDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}HostPrepConfig} + + # this creates a JSON config file for our docker-puppet.py script + {{role.name}}GenPuppetConfig: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + /var/lib/docker-puppet/docker-puppet.json: + {get_param: [role_data, {{role.name}}, puppet_config]} + + {{role.name}}GenPuppetDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}GenPuppetConfig} + + {{role.name}}GenerateConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: docker-puppet.py} + inputs: + - name: NET_HOST + + {{role.name}}GenerateConfigDeployment: + type: OS::Heat::SoftwareDeploymentGroup + depends_on: [{{role.name}}GenPuppetDeployment, {{role.name}}ArtifactsDeploy, {{role.name}}CreateConfigDirDeployment, {{role.name}}HostPrepDeployment] + properties: + name: {{role.name}}GenerateConfigDeployment + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}GenerateConfig} + input_values: + NET_HOST: 'true' + + {{role.name}}PuppetStepConfig: + type: OS::Heat::Value + properties: + type: string + value: + yaql: + expression: + # select 'step_config' only from services that do not have a docker_config + $.data.service_names.zip($.data.step_config, $.data.docker_config).where($[2] = null).where($[1] != null).select($[1]).join("\n") + data: + service_names: {get_param: [role_data, {{role.name}}, service_names]} + step_config: {get_param: [role_data, {{role.name}}, step_config]} + docker_config: {get_param: [role_data, {{role.name}}, docker_config]} + + {{role.name}}DockerConfig: + type: OS::Heat::Value + properties: + type: json + value: + yaql: + expression: + # select 'docker_config' only from services that have it + $.data.service_names.zip($.data.docker_config).where($[1] != null).select($[1]).reduce($1.mergeWith($2), {}) + data: + service_names: {get_param: [role_data, {{role.name}}, service_names]} + docker_config: {get_param: [role_data, {{role.name}}, docker_config]} + + # Here we are dumping all the docker container startup configuration data + # so that we can have access to how they are started outside of heat + # and docker-cmd. This lets us create command line tools to start and + # test these containers. + {{role.name}}DockerConfigJsonStartupData: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + /var/lib/docker-container-startup-configs.json: + {get_attr: [{{role.name}}DockerConfig, value]} + + {{role.name}}DockerConfigJsonStartupDataDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + config: {get_resource: {{role.name}}DockerConfigJsonStartupData} + servers: {get_param: [servers, {{role.name}}]} + + {{role.name}}KollaJsonConfig: + type: OS::Heat::StructuredConfig + properties: + group: json-file + config: + {get_param: [role_data, {{role.name}}, kolla_config]} + + {{role.name}}KollaJsonDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + name: {{role.name}}KollaJsonDeployment + config: {get_resource: {{role.name}}KollaJsonConfig} + servers: {get_param: [servers, {{role.name}}]} + + # BEGIN BAREMETAL CONFIG STEPS + + {{role.name}}PreConfig: + type: OS::TripleO::Tasks::{{role.name}}PreConfig + properties: + servers: {get_param: [servers, {{role.name}}]} + input_values: + update_identifier: {get_param: DeployIdentifier} + + {{role.name}}Config: + type: OS::TripleO::{{role.name}}Config + properties: + StepConfig: {get_attr: [{{role.name}}PuppetStepConfig, value]} + + {% for step in range(1, deploy_steps_max) %} + + {{role.name}}Deployment_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} + depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + {% else %} + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step{{step -1}} + - {{dep.name}}ContainersDeployment_Step{{step -1}} + {% endfor %} + - {{primary_role_name}}DockerPuppetTasksDeployment{{step -1}} + {% endif %} + properties: + name: {{role.name}}Deployment_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}Config} + input_values: + step: {{step}} + update_identifier: {get_param: DeployIdentifier} + + {% endfor %} + # END BAREMETAL CONFIG STEPS + + # BEGIN CONTAINER CONFIG STEPS + {% for step in range(1, deploy_steps_max) %} + + {{role.name}}ContainersConfig_Step{{step}}: + type: OS::Heat::StructuredConfig + properties: + group: docker-cmd + config: + {get_attr: [{{role.name}}DockerConfig, value, step_{{step}}]} + + {{role.name}}ContainersDeployment_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} + depends_on: + - {{role.name}}KollaJsonDeployment + - {{role.name}}GenPuppetDeployment + - {{role.name}}GenerateConfigDeployment + {%- for dep in roles %} + - {{dep.name}}Deployment_Step{{step}} # baremetal steps of the same level run first + {%- endfor %} + {% else %} + depends_on: + {% for dep in roles %} + - {{dep.name}}ContainersDeployment_Step{{step -1}} + - {{dep.name}}Deployment_Step{{step}} # baremetal steps of the same level run first + - {{dep.name}}Deployment_Step{{step -1}} + {% endfor %} + - {{primary_role_name}}DockerPuppetTasksDeployment{{step -1}} + {% endif %} + properties: + name: {{role.name}}ContainersDeployment_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}ContainersConfig_Step{{step}}} + + {% endfor %} + # END CONTAINER CONFIG STEPS + + {{role.name}}PostConfig: + type: OS::TripleO::Tasks::{{role.name}}PostConfig + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step5 + - {{primary_role_name}}DockerPuppetTasksDeployment5 + {% endfor %} + properties: + servers: {get_param: servers} + input_values: + update_identifier: {get_param: DeployIdentifier} + + # Note, this should come last, so use depends_on to ensure + # this is created after any other resources. + {{role.name}}ExtraConfigPost: + depends_on: + {% for dep in roles %} + - {{dep.name}}PostConfig + {% endfor %} + type: OS::TripleO::NodeExtraConfigPost + properties: + servers: {get_param: [servers, {{role.name}}]} + +{% endfor %} diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh index b2287e91..8b4c6a03 100755 --- a/docker/firstboot/setup_docker_host.sh +++ b/docker/firstboot/setup_docker_host.sh @@ -1,26 +1,8 @@ #!/bin/bash set -eux -# TODO This would be better in puppet +# This file contains setup steps that can't be or have not yet been moved to +# puppet -# TODO remove this when built image includes docker -if [ ! -f "/usr/bin/docker" ]; then - yum -y install docker -fi - -# NOTE(mandre) $docker_namespace_is_registry is not a bash variable but is -# a place holder for text replacement done via heat -if [ "$docker_namespace_is_registry" = "True" ]; then - /usr/bin/systemctl stop docker.service - # if namespace is used with local registry, trim all namespacing - trim_var=$docker_registry - registry_host="${trim_var%%/*}" - /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker -fi - -# enable and start docker -/usr/bin/systemctl enable docker.service -/usr/bin/systemctl start docker.service - -# Disable libvirtd +# Disable libvirtd since it conflicts with nova_libvirt container /usr/bin/systemctl disable libvirtd.service /usr/bin/systemctl stop libvirtd.service diff --git a/docker/firstboot/setup_docker_host.yaml b/docker/firstboot/setup_docker_host.yaml index 2f258987..4b061e1c 100644 --- a/docker/firstboot/setup_docker_host.yaml +++ b/docker/firstboot/setup_docker_host.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike parameters: DockerNamespace: diff --git a/docker/post-upgrade.j2.yaml b/docker/post-upgrade.j2.yaml new file mode 100644 index 00000000..4477f868 --- /dev/null +++ b/docker/post-upgrade.j2.yaml @@ -0,0 +1,4 @@ +# Note the include here is the same as post.j2.yaml but the data used at +# # the time of rendering is different if any roles disable upgrades +{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% include 'docker-steps.j2' %} diff --git a/docker/post.j2.yaml b/docker/post.j2.yaml index 76232d14..fd956215 100644 --- a/docker/post.j2.yaml +++ b/docker/post.j2.yaml @@ -1,325 +1 @@ -# certain initialization steps (run in a container) will occur -# on the first role listed in the roles file -{% set primary_role_name = roles[0].name -%} - -heat_template_version: ocata - -description: > - Post-deploy configuration steps via puppet for all roles, - as defined in ../roles_data.yaml - -parameters: - servers: - type: json - description: Mapping of Role name e.g Controller to a list of servers - role_data: - type: json - description: Mapping of Role name e.g Controller to the per-role data - DeployIdentifier: - default: '' - type: string - description: > - Setting this to a unique value will re-run any deployment tasks which - perform configuration on a Heat stack-update. - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - - # These utility tasks use docker-puppet.py to execute tasks via puppet - # We only execute these on the first node in the primary role - {{primary_role_name}}DockerPuppetTasks: - type: OS::Heat::Value - properties: - type: json - value: - yaql: - expression: - dict($.data.docker_puppet_tasks.where($1 != null).selectMany($.items()).groupBy($[0], $[1])) - data: - docker_puppet_tasks: {get_param: [role_data, {{primary_role_name}}, docker_puppet_tasks]} - -# BEGIN primary_role_name docker-puppet-tasks (run only on a single node) -{% for step in range(1, 6) %} - - {{primary_role_name}}DockerPuppetJsonConfig{{step}}: - type: OS::Heat::StructuredConfig - properties: - group: json-file - config: - /var/lib/docker-puppet/docker-puppet-tasks{{step}}.json: - {get_attr: [{{primary_role_name}}DockerPuppetTasks, value, 'step_{{step}}']} - - {{primary_role_name}}DockerPuppetJsonDeployment{{step}}: - type: OS::Heat::SoftwareDeployment - properties: - server: {get_param: [servers, {{primary_role_name}}, '0']} - config: {get_resource: {{primary_role_name}}DockerPuppetJsonConfig{{step}}} - - {{primary_role_name}}DockerPuppetTasksConfig{{step}}: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: {get_file: docker-puppet.py} - inputs: - - name: CONFIG - - name: NET_HOST - - name: NO_ARCHIVE - - name: STEP - - {{primary_role_name}}DockerPuppetTasksDeployment{{step}}: - type: OS::Heat::SoftwareDeployment - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step{{step}} - - {{dep.name}}ContainersDeployment_Step{{step}} - {% endfor %} - - {{primary_role_name}}DockerPuppetJsonDeployment{{step}} - properties: - name: {{primary_role_name}}DockerPuppetJsonDeployment{{step}} - server: {get_param: [servers, {{primary_role_name}}, '0']} - config: {get_resource: {{primary_role_name}}DockerPuppetTasksConfig{{step}}} - input_values: - CONFIG: /var/lib/docker-puppet/docker-puppet-tasks{{step}}.json - NET_HOST: 'true' - NO_ARCHIVE: 'true' - STEP: {{step}} - -{% endfor %} -# END primary_role_name docker-puppet-tasks - -{% for role in roles %} - # Post deployment steps for all roles - # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps - {{role.name}}ArtifactsConfig: - type: ../puppet/deploy-artifacts.yaml - - {{role.name}}ArtifactsDeploy: - type: OS::Heat::StructuredDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ArtifactsConfig} - - {{role.name}}PreConfig: - type: OS::TripleO::Tasks::{{role.name}}PreConfig - properties: - servers: {get_param: [servers, {{role.name}}]} - input_values: - update_identifier: {get_param: DeployIdentifier} - - {{role.name}}CreateConfigDir: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: {get_file: create-config-dir.sh} - - {{role.name}}CreateConfigDirDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}CreateConfigDir} - - # this creates a JSON config file for our docker-puppet.py script - {{role.name}}GenPuppetConfig: - type: OS::Heat::StructuredConfig - properties: - group: json-file - config: - /var/lib/docker-puppet/docker-puppet.json: - {get_param: [role_data, {{role.name}}, puppet_config]} - - {{role.name}}GenPuppetDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}GenPuppetConfig} - - {{role.name}}GenerateConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: {get_file: docker-puppet.py} - - {{role.name}}GenerateConfigDeployment: - type: OS::Heat::SoftwareDeploymentGroup - depends_on: [{{role.name}}GenPuppetDeployment, {{role.name}}ArtifactsDeploy, {{role.name}}CreateConfigDirDeployment] - properties: - name: {{role.name}}GenerateConfigDeployment - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}GenerateConfig} - - {{role.name}}PuppetStepConfig: - type: OS::Heat::Value - properties: - type: string - value: - yaql: - expression: - # select 'step_config' only from services that do not have a docker_image - $.data.service_names.zip($.data.step_config, $.data.docker_image).where($[2] = null).where($[1] != null).select($[1]).join("\n") - data: - service_names: {get_param: [role_data, {{role.name}}, service_names]} - step_config: {get_param: [role_data, {{role.name}}, step_config]} - docker_image: {get_param: [role_data, {{role.name}}, docker_image]} - - {{role.name}}DockerConfig: - type: OS::Heat::Value - properties: - type: json - value: - yaql: - expression: - # select 'docker_config' only from services that have a docker_image - $.data.service_names.zip($.data.docker_config, $.data.docker_image).where($[2] != null).select($[1]).reduce($1.mergeWith($2), {}) - data: - service_names: {get_param: [role_data, {{role.name}}, service_names]} - docker_config: {get_param: [role_data, {{role.name}}, docker_config]} - docker_image: {get_param: [role_data, {{role.name}}, docker_image]} - - # Here we are dumping all the docker container startup configuration data - # so that we can have access to how they are started outside of heat - # and docker-cmd. This lets us create command line tools to start and - # test these containers. - {{role.name}}DockerConfigJsonStartupData: - type: OS::Heat::StructuredConfig - properties: - group: json-file - config: - /var/lib/docker-container-startup-configs.json: - {get_attr: [{{role.name}}DockerConfig, value]} - - {{role.name}}DockerConfigJsonStartupDataDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - config: {get_resource: {{role.name}}DockerConfigJsonStartupData} - servers: {get_param: [servers, {{role.name}}]} - - {{role.name}}KollaJsonConfig: - type: OS::Heat::StructuredConfig - properties: - group: json-file - config: - {get_param: [role_data, {{role.name}}, kolla_config]} - - {{role.name}}KollaJsonDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - name: {{role.name}}KollaJsonDeployment - config: {get_resource: {{role.name}}KollaJsonConfig} - servers: {get_param: [servers, {{role.name}}]} - - # BEGIN BAREMETAL CONFIG STEPS - - {% if role.name == 'Controller' %} - ControllerPrePuppet: - type: OS::TripleO::Tasks::ControllerPrePuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - - {{role.name}}Config: - type: OS::TripleO::{{role.name}}Config - properties: - StepConfig: {get_attr: [{{role.name}}PuppetStepConfig, value]} - - {% for step in range(1, 6) %} - - {{role.name}}Deployment_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - {% if step == 1 %} - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] - {% else %} - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step{{step -1}} - - {{dep.name}}ContainersDeployment_Step{{step -1}} - {% endfor %} - - {{primary_role_name}}DockerPuppetTasksDeployment{{step -1}} - {% endif %} - properties: - name: {{role.name}}Deployment_Step{{step}} - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: {{step}} - update_identifier: {get_param: DeployIdentifier} - - {% endfor %} - # END BAREMETAL CONFIG STEPS - - # BEGIN CONTAINER CONFIG STEPS - {% for step in range(1, 6) %} - - {{role.name}}ContainersConfig_Step{{step}}: - type: OS::Heat::StructuredConfig - properties: - group: docker-cmd - config: - {get_attr: [{{role.name}}DockerConfig, value, step_{{step}}]} - - {{role.name}}ContainersDeployment_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - {% if step == 1 %} - depends_on: - - {{role.name}}PreConfig - - {{role.name}}KollaJsonDeployment - - {{role.name}}GenPuppetDeployment - - {{role.name}}GenerateConfigDeployment - {% else %} - depends_on: - {% for dep in roles %} - - {{dep.name}}ContainersDeployment_Step{{step -1}} - - {{dep.name}}Deployment_Step{{step}} # baremetal steps of the same level run first - - {{dep.name}}Deployment_Step{{step -1}} - {% endfor %} - - {{primary_role_name}}DockerPuppetTasksDeployment{{step -1}} - {% endif %} - properties: - name: {{role.name}}ContainersDeployment_Step{{step}} - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ContainersConfig_Step{{step}}} - - {% endfor %} - # END CONTAINER CONFIG STEPS - - {{role.name}}PostConfig: - type: OS::TripleO::Tasks::{{role.name}}PostConfig - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step5 - - {{primary_role_name}}DockerPuppetTasksDeployment5 - {% endfor %} - properties: - servers: {get_param: servers} - input_values: - update_identifier: {get_param: DeployIdentifier} - - # Note, this should come last, so use depends_on to ensure - # this is created after any other resources. - {{role.name}}ExtraConfigPost: - depends_on: - {% for dep in roles %} - - {{dep.name}}PostConfig - {% endfor %} - type: OS::TripleO::NodeExtraConfigPost - properties: - servers: {get_param: [servers, {{role.name}}]} - - {% if role.name == 'Controller' %} - ControllerPostPuppet: - depends_on: - - ControllerExtraConfigPost - type: OS::TripleO::Tasks::ControllerPostPuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - -{% endfor %} +{% include 'docker-steps.j2' %} diff --git a/docker/services/README.rst b/docker/services/README.rst index 881a2a37..84ac842e 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -23,7 +23,7 @@ puppet (our configuration tool of choice) into the Kolla base images. The undercloud nova-scheduler also requires openstack-tripleo-common to provide custom filters. -To build Kolla images for TripleO adjust your kolla config to build your +To build Kolla images for TripleO adjust your kolla config [*]_ to build your centos base image with puppet using the example below: .. code-block:: @@ -37,6 +37,10 @@ kolla-build --base centos --template-override template-overrides.j2 .. +.. [*] See the + `override file <https://github.com/openstack/tripleo-common/blob/master/contrib/tripleo_kolla_template_overrides.j2>`_ + which can be used to build Kolla packages that work with TripleO, and an + `example build script <https://github.com/dprince/undercloud_containers/blob/master/build_kolla.sh>_. Docker settings --------------- @@ -58,27 +62,34 @@ are re-asserted when applying latter ones. the container itself at the /var/lib/kolla/config_files/config.json location and drives how kolla's external config mechanisms work. - * docker_image: The full name of the docker image that will be used. - * docker_config: Data that is passed to the docker-cmd hook to configure a container, or step of containers at each step. See the available steps below and the related docker-cmd hook documentation in the heat-agents project. - * puppet_tags: Puppet resource tag names that are used to generate config - files with puppet. Only the named config resources are used to generate - a config file. Any service that specifies tags will have the default - tags of 'file,concat,file_line' appended to the setting. - Example: keystone_config - - * config_volume: The name of the volume (directory) where config files - will be generated for this service. Use this as the location to - bind mount into the running Kolla container for configuration. - - * config_image: The name of the docker image that will be used for - generating configuration files. This is often the same value as - 'docker_image' above but some containers share a common set of - config files which are generated in a common base container. + * puppet_config: This section is a nested set of key value pairs + that drive the creation of config files using puppet. + Required parameters include: + + * puppet_tags: Puppet resource tag names that are used to generate config + files with puppet. Only the named config resources are used to generate + a config file. Any service that specifies tags will have the default + tags of 'file,concat,file_line,augeas' appended to the setting. + Example: keystone_config + + * config_volume: The name of the volume (directory) where config files + will be generated for this service. Use this as the location to + bind mount into the running Kolla container for configuration. + + * config_image: The name of the docker image that will be used for + generating configuration files. This is often the same container + that the runtime service uses. Some services share a common set of + config files which are generated in a common base container. + + * step_config: This setting controls the manifest that is used to + create docker config files via puppet. The puppet tags below are + used along with this manifest to generate a config directory for + this container. * docker_puppet_tasks: This section provides data to drive the docker-puppet.py tool directly. The task is executed only once diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml new file mode 100644 index 00000000..8a02d8fd --- /dev/null +++ b/docker/services/aodh-api.yaml @@ -0,0 +1,147 @@ +heat_template_version: pike + +description: > + OpenStack containerized aodh service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerAodhApiImage: + description: image + default: 'centos-binary-aodh-api:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + AodhApiPuppetBase: + type: ../../puppet/services/aodh-api.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the aodh API role. + value: + service_name: {get_attr: [AodhApiPuppetBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [AodhApiPuppetBase, role_data, config_settings] + - apache::default_vhost: false + step_config: &step_config + get_attr: [AodhApiPuppetBase, role_data, step_config] + service_config_settings: {get_attr: [AodhApiPuppetBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: aodh + puppet_tags: aodh_api_paste_ini,aodh_config + step_config: *step_config + config_image: &aodh_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerAodhApiImage} ] + kolla_config: + /var/lib/kolla/config_files/aodh-api.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/aodh + owner: aodh:aodh + recurse: true + docker_config: + # db sync runs before permissions set by kolla_config + step_3: + aodh_init_log: + start_order: 0 + image: *aodh_image + user: root + volumes: + - /var/log/containers/aodh:/var/log/aodh + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R aodh:aodh /var/log/aodh'] + aodh_db_sync: + start_order: 1 + image: *aodh_image + net: host + privileged: false + detach: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/log/containers/aodh:/var/log/aodh + command: /usr/bin/aodh-dbsync + step_4: + aodh_api: + image: *aodh_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/aodh-api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/lib/config-data/aodh/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/aodh/var/www/:/var/www/:ro + - /var/log/containers/aodh:/var/log/aodh + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/aodh + state: directory + upgrade_tasks: + - name: Stop and disable aodh service (running under httpd) + tags: step2 + service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [AodhApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/aodh-evaluator.yaml b/docker/services/aodh-evaluator.yaml new file mode 100644 index 00000000..9d514d0c --- /dev/null +++ b/docker/services/aodh-evaluator.yaml @@ -0,0 +1,103 @@ +heat_template_version: pike + +description: > + OpenStack containerized Aodh Evaluator service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerAodhEvaluatorImage: + description: image + default: 'centos-binary-aodh-evaluator:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + AodhEvaluatorBase: + type: ../../puppet/services/aodh-evaluator.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Aodh API role. + value: + service_name: {get_attr: [AodhEvaluatorBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [AodhEvaluatorBase, role_data, config_settings] + step_config: &step_config + get_attr: [AodhEvaluatorBase, role_data, step_config] + service_config_settings: {get_attr: [AodhEvaluatorBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: aodh + puppet_tags: aodh_config + step_config: *step_config + config_image: &aodh_evaluator_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerAodhEvaluatorImage} ] + kolla_config: + /var/lib/kolla/config_files/aodh-evaluator.json: + command: /usr/bin/aodh-evaluator + permissions: + - path: /var/log/aodh + owner: aodh:aodh + recurse: true + docker_config: + step_4: + aodh_evaluator: + image: *aodh_evaluator_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/aodh-evaluator.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/log/containers/aodh:/var/log/aodh + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/aodh + state: directory + upgrade_tasks: + - name: Stop and disable openstack-aodh-evaluator service + tags: step2 + service: name=openstack-aodh-evaluator.service state=stopped enabled=no diff --git a/docker/services/aodh-listener.yaml b/docker/services/aodh-listener.yaml new file mode 100644 index 00000000..dac61087 --- /dev/null +++ b/docker/services/aodh-listener.yaml @@ -0,0 +1,103 @@ +heat_template_version: pike + +description: > + OpenStack containerized Aodh Listener service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerAodhListenerImage: + description: image + default: 'centos-binary-aodh-listener:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + AodhListenerBase: + type: ../../puppet/services/aodh-listener.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Aodh API role. + value: + service_name: {get_attr: [AodhListenerBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [AodhListenerBase, role_data, config_settings] + step_config: &step_config + get_attr: [AodhListenerBase, role_data, step_config] + service_config_settings: {get_attr: [AodhListenerBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: aodh + puppet_tags: aodh_config + step_config: *step_config + config_image: &aodh_listener_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerAodhListenerImage} ] + kolla_config: + /var/lib/kolla/config_files/aodh-listener.json: + command: /usr/bin/aodh-listener + permissions: + - path: /var/log/aodh + owner: aodh:aodh + recurse: true + docker_config: + step_4: + aodh_listener: + image: *aodh_listener_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/aodh-listener.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/log/containers/aodh:/var/log/aodh + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/aodh + state: directory + upgrade_tasks: + - name: Stop and disable openstack-aodh-listener service + tags: step2 + service: name=openstack-aodh-listener.service state=stopped enabled=no diff --git a/docker/services/aodh-notifier.yaml b/docker/services/aodh-notifier.yaml new file mode 100644 index 00000000..a22ae85e --- /dev/null +++ b/docker/services/aodh-notifier.yaml @@ -0,0 +1,103 @@ +heat_template_version: pike + +description: > + OpenStack containerized Aodh Notifier service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerAodhNotifierImage: + description: image + default: 'centos-binary-aodh-notifier:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + AodhNotifierBase: + type: ../../puppet/services/aodh-notifier.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Aodh API role. + value: + service_name: {get_attr: [AodhNotifierBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [AodhNotifierBase, role_data, config_settings] + step_config: &step_config + get_attr: [AodhNotifierBase, role_data, step_config] + service_config_settings: {get_attr: [AodhNotifierBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: aodh + puppet_tags: aodh_config + step_config: *step_config + config_image: &aodh_notifier_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerAodhNotifierImage} ] + kolla_config: + /var/lib/kolla/config_files/aodh-notifier.json: + command: /usr/bin/aodh-notifier + permissions: + - path: /var/log/aodh + owner: aodh:aodh + recurse: true + docker_config: + step_4: + aodh_notifier: + image: *aodh_notifier_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/aodh-notifier.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro + - /var/log/containers/aodh:/var/log/aodh + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/aodh + state: directory + upgrade_tasks: + - name: Stop and disable openstack-aodh-notifier service + tags: step2 + service: name=openstack-aodh-notifier.service state=stopped enabled=no diff --git a/docker/services/ceilometer-agent-central.yaml b/docker/services/ceilometer-agent-central.yaml new file mode 100644 index 00000000..94caded8 --- /dev/null +++ b/docker/services/ceilometer-agent-central.yaml @@ -0,0 +1,113 @@ +heat_template_version: pike + +description: > + OpenStack containerized Ceilometer Agent Central service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerCeilometerCentralImage: + description: image + default: 'centos-binary-ceilometer-central:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + CeilometerAgentCentralBase: + type: ../../puppet/services/ceilometer-agent-central.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Central role. + value: + service_name: {get_attr: [CeilometerAgentCentralBase, role_data, service_name]} + config_settings: {get_attr: [CeilometerAgentCentralBase, role_data, config_settings]} + step_config: &step_config + get_attr: [CeilometerAgentCentralBase, role_data, step_config] + service_config_settings: {get_attr: [CeilometerAgentCentralBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ceilometer + puppet_tags: ceilometer_config + step_config: *step_config + config_image: &ceilometer_agent_central_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerCeilometerCentralImage} ] + kolla_config: + /var/lib/kolla/config_files/ceilometer-agent-central.json: + command: /usr/bin/ceilometer-polling --polling-namespaces central + docker_config: + step_3: + ceilometer_init_log: + start_order: 0 + image: *ceilometer_agent_central_image + user: root + command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer'] + volumes: + - /var/log/containers/ceilometer:/var/log/ceilometer + step_4: + ceilometer_agent_central: + image: *ceilometer_agent_central_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ceilometer-agent-central.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + step_5: + ceilometer_gnocchi_upgrade: + start_order: 1 + image: *ceilometer_agent_central_image + net: host + detach: false + privileged: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro + - /var/log/containers/ceilometer:/var/log/ceilometer + command: ["/usr/bin/ceilometer-upgrade", "--skip-metering-database"] + upgrade_tasks: + - name: Stop and disable ceilometer agent central service + tags: step2 + service: name=openstack-ceilometer-agent-central state=stopped enabled=no diff --git a/docker/services/ceilometer-agent-compute.yaml b/docker/services/ceilometer-agent-compute.yaml new file mode 100644 index 00000000..9033cf4a --- /dev/null +++ b/docker/services/ceilometer-agent-compute.yaml @@ -0,0 +1,91 @@ +heat_template_version: pike + +description: > + OpenStack containerized Ceilometer Agent Compute service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerCeilometerComputeImage: + description: image + default: 'centos-binary-ceilometer-compute:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + CeilometerAgentComputeBase: + type: ../../puppet/services/ceilometer-agent-compute.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Compute role. + value: + service_name: {get_attr: [CeilometerAgentComputeBase, role_data, service_name]} + config_settings: {get_attr: [CeilometerAgentComputeBase, role_data, config_settings]} + step_config: &step_config + get_attr: [CeilometerAgentComputeBase, role_data, step_config] + service_config_settings: {get_attr: [CeilometerAgentComputeBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ceilometer + puppet_tags: ceilometer_config + step_config: *step_config + config_image: &ceilometer_agent_compute_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerCeilometerComputeImage} ] + kolla_config: + /var/lib/kolla/config_files/ceilometer-agent-compute.json: + command: /usr/bin/ceilometer-polling --polling-namespaces compute + docker_config: + step_4: + ceilometer_agent-compute: + image: *ceilometer_agent_compute_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ceilometer-agent-compute.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable ceilometer-agent-compute service + tags: step2 + service: name=openstack-ceilometer-agent-compute state=stopped enabled=no diff --git a/docker/services/ceilometer-agent-notification.yaml b/docker/services/ceilometer-agent-notification.yaml new file mode 100644 index 00000000..79df3306 --- /dev/null +++ b/docker/services/ceilometer-agent-notification.yaml @@ -0,0 +1,113 @@ +heat_template_version: pike + +description: > + OpenStack containerized Ceilometer Agent Notification service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerCeilometerNotificationImage: + description: image + default: 'centos-binary-ceilometer-notification:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + CeilometerAgentNotificationBase: + type: ../../puppet/services/ceilometer-agent-notification.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceilometer Agent Notification role. + value: + service_name: {get_attr: [CeilometerAgentNotificationBase, role_data, service_name]} + config_settings: {get_attr: [CeilometerAgentNotificationBase, role_data, config_settings]} + step_config: &step_config + get_attr: [CeilometerAgentNotificationBase, role_data, step_config] + service_config_settings: {get_attr: [CeilometerAgentNotificationBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: ceilometer + puppet_tags: ceilometer_config + step_config: *step_config + config_image: &ceilometer_agent_notification_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerCeilometerNotificationImage} ] + kolla_config: + /var/lib/kolla/config_files/ceilometer-agent-notification.json: + command: /usr/bin/ceilometer-agent-notification + docker_config: + step_3: + ceilometer_init_log: + start_order: 0 + image: *ceilometer_agent_notification_image + user: root + command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer'] + volumes: + - /var/log/containers/ceilometer:/var/log/ceilometer + step_4: + ceilometer_agent-notification: + image: *ceilometer_agent_notification_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ceilometer-agent-notification.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + step_5: + ceilometer_gnocchi_upgrade: + start_order: 1 + image: *ceilometer_agent_notification_image + net: host + detach: false + privileged: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro + - /var/log/containers/ceilometer:/var/log/ceilometer + command: ["/usr/bin/ceilometer-upgrade", "--skip-metering-database"] + upgrade_tasks: + - name: Stop and disable ceilometer agent notification service + tags: step2 + service: name=openstack-ceilometer-notification state=stopped enabled=no diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml new file mode 100644 index 00000000..a4ebe549 --- /dev/null +++ b/docker/services/containers-common.yaml @@ -0,0 +1,18 @@ +heat_template_version: pike + +description: > + Contains a static list of common things necessary for containers + +outputs: + volumes: + description: Common volumes for the containers. + value: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + # OpenSSL trusted CAs + - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro + - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro + - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro + - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro + # Syslog socket + - /dev/log:/dev/log diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 3c4146fd..96a02f9f 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MongoDB service deployment using puppet and docker @@ -26,6 +26,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: @@ -35,6 +43,8 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -50,29 +60,25 @@ outputs: - "\n" - - "['Mongodb_database', 'Mongodb_user', 'Mongodb_replset'].each |String $val| { noop_resource($val) }" - {get_attr: [MongodbPuppetBase, role_data, step_config]} - upgrade_tasks: {get_attr: [MongodbPuppetBase, role_data, upgrade_tasks]} # BEGIN DOCKER SETTINGS # - docker_image: &mongodb_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMongodbImage} ] puppet_config: config_volume: mongodb puppet_tags: file # set this even though file is the default step_config: *step_config - config_image: *mongodb_image + config_image: &mongodb_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMongodbImage} ] kolla_config: /var/lib/kolla/config_files/mongodb.json: command: /usr/bin/mongod --unixSocketPrefix=/var/run/mongodb --config /etc/mongod.conf run - config_files: - - dest: /etc/mongod.conf - source: /var/lib/kolla/config_files/src/etc/mongod.conf - owner: mongodb - perm: '0600' - - dest: /etc/mongos.conf - source: /var/lib/kolla/config_files/src/etc/mongos.conf - owner: mongodb - perm: '0600' + permissions: + - path: /var/lib/mongodb + owner: mongodb:mongodb + recurse: true + - path: /var/log/mongodb + owner: mongodb:mongodb + recurse: true docker_config: step_2: mongodb: @@ -81,10 +87,10 @@ outputs: privileged: false volumes: &mongodb_volumes - /var/lib/kolla/config_files/mongodb.json:/var/lib/kolla/config_files/config.json - - /var/lib/config-data/mongodb/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mongodb/etc/:/etc/:ro - /etc/localtime:/etc/localtime:ro - - logs:/var/log/kolla - - mongodb:/var/lib/mongodb/ + - /var/log/containers/mongodb:/var/log/mongodb + - /var/lib/mongodb:/var/lib/mongodb environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -93,10 +99,19 @@ outputs: config_volume: 'mongodb_init_tasks' puppet_tags: 'mongodb_database,mongodb_user,mongodb_replset' step_config: 'include ::tripleo::profile::base::database::mongodb' - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMongodbImage} ] + config_image: *mongodb_image volumes: - - "mongodb:/var/lib/mongodb/" - - "logs:/var/log/kolla:ro" + - /var/lib/mongodb:/var/lib/mongodb + - /var/log/containers/mongodb:/var/log/mongodb + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/mongodb + - /var/lib/mongodb + upgrade_tasks: + - name: Stop and disable mongodb service + tags: step2 + service: name=mongod state=stopped enabled=no diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index fd92e99c..73578e13 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > MySQL service deployment using puppet @@ -26,6 +26,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json MysqlRootPassword: type: string hidden: true @@ -39,6 +47,8 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -59,48 +69,53 @@ outputs: - "\n" - - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }" - {get_attr: [MysqlPuppetBase, role_data, step_config]} - upgrade_tasks: {get_attr: [MysqlPuppetBase, role_data, upgrade_tasks]} # BEGIN DOCKER SETTINGS # - docker_image: &mysql_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] puppet_config: config_volume: mysql puppet_tags: file # set this even though file is the default step_config: *step_config - config_image: *mysql_image + config_image: &mysql_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] kolla_config: /var/lib/kolla/config_files/mysql.json: command: /usr/bin/mysqld_safe - config_files: - - dest: /etc/mysql/my.cnf - source: /var/lib/kolla/config_files/src/etc/my.cnf - owner: mysql - perm: '0644' - - dest: /etc/my.cnf.d/galera.cnf - source: /var/lib/kolla/config_files/src/etc/my.cnf.d/galera.cnf - owner: mysql - perm: '0644' + permissions: + - path: /var/lib/mysql + owner: mysql:mysql + recurse: true docker_config: + # Kolla_bootstrap runs before permissions set by kolla_config step_2: - mysql_bootstrap: + mysql_init_logs: start_order: 0 + image: *mysql_image + privileged: false + user: root + volumes: + - /var/log/containers/mysql:/var/log/mariadb + command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb'] + mysql_bootstrap: + start_order: 1 detach: false image: *mysql_image net: host + # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done + command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start'] volumes: &mysql_volumes - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json - - /var/lib/config-data/mysql/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/mysql/etc/:/etc/:ro - /etc/localtime:/etc/localtime:ro - /etc/hosts:/etc/hosts:ro - - mariadb:/var/lib/mysql/ + - /var/lib/mysql:/var/lib/mysql + - /var/log/containers/mysql:/var/log/mariadb environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True # NOTE(mandre) skip wsrep cluster status check - KOLLA_KUBERNETES=True - - + - list_join: - '=' - - 'DB_ROOT_PASSWORD' @@ -112,7 +127,7 @@ outputs: - {get_param: MysqlRootPassword} - {get_param: [DefaultPasswords, mysql_root_password]} mysql: - start_order: 1 + start_order: 2 image: *mysql_image restart: always net: host @@ -125,10 +140,20 @@ outputs: config_volume: 'mysql_init_tasks' puppet_tags: 'mysql_database,mysql_grant,mysql_user' step_config: 'include ::tripleo::profile::base::database::mysql' - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] + config_image: *mysql_image volumes: - - "mariadb:/var/lib/mysql/:ro" - - "/var/lib/config-data/mysql/root:/root:ro" #provides .my.cnf + - /var/lib/mysql:/var/lib/mysql/:ro + - /var/log/containers/mysql:/var/log/mariadb + - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/mysql + - /var/lib/mysql + upgrade_tasks: + - name: Stop and disable mysql service + tags: step2 + service: name=mariadb state=stopped enabled=no diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml new file mode 100644 index 00000000..73df96c5 --- /dev/null +++ b/docker/services/database/redis.yaml @@ -0,0 +1,101 @@ +heat_template_version: pike + +description: > + OpenStack containerized Redis services + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerRedisImage: + description: image + default: 'centos-binary-redis:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + RedisBase: + type: ../../../puppet/services/database/redis.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + +outputs: + role_data: + description: Role data for the Redis API role. + value: + service_name: {get_attr: [RedisBase, role_data, service_name]} + config_settings: + map_merge: + - {get_attr: [RedisBase, role_data, config_settings]} + - redis::daemonize: false + step_config: &step_config + get_attr: [RedisBase, role_data, step_config] + service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: 'redis' + # NOTE: we need the exec tag to copy /etc/redis.conf.puppet to + # /etc/redis.conf + # https://github.com/arioch/puppet-redis/commit/1c004143223e660cbd433422ff8194508aab9763 + puppet_tags: 'exec' + step_config: *step_config + config_image: &redis_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerRedisImage} ] + kolla_config: + /var/lib/kolla/config_files/redis.json: + command: /usr/bin/redis-server /etc/redis.conf + permissions: + - path: /var/run/redis + owner: redis:redis + recurse: true + docker_config: + step_1: + redis: + image: *redis_image + net: host + privileged: false + restart: always + volumes: + - /run:/run + - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/redis/etc/:/etc/:ro + - /etc/localtime:/etc/localtime:ro + - logs:/var/log/kolla + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create /var/run/redis + file: + path: /var/run/redis + state: directory + upgrade_tasks: + - name: Stop and disable redis service + tags: step2 + service: name=redis state=stopped enabled=no diff --git a/docker/services/etcd.yaml b/docker/services/etcd.yaml new file mode 100644 index 00000000..e5a7096b --- /dev/null +++ b/docker/services/etcd.yaml @@ -0,0 +1,113 @@ +heat_template_version: pike + +description: > + OpenStack containerized etcd services + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerEtcdImage: + description: image + default: 'centos-binary-etcd:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EtcdInitialClusterToken: + description: Initial cluster token for the etcd cluster during bootstrap. + type: string + hidden: true + +resources: + + EtcdPuppetBase: + type: ../../puppet/services/etcd.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EtcdInitialClusterToken: {get_param: EtcdInitialClusterToken} + +outputs: + role_data: + description: Role data for the etcd role. + value: + service_name: {get_attr: [EtcdPuppetBase, role_data, service_name]} + step_config: &step_config + list_join: + - "\n" + - - "['Etcd_key'].each |String $val| { noop_resource($val) }" + - get_attr: [EtcdPuppetBase, role_data, step_config] + config_settings: + map_merge: + - {get_attr: [EtcdPuppetBase, role_data, config_settings]} + - etcd::manage_service: false + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: etcd + step_config: *step_config + config_image: &etcd_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerEtcdImage} ] + kolla_config: + /var/lib/kolla/config_files/etcd.json: + command: /usr/bin/etcd --config-file /etc/etcd/etcd.yml + permissions: + - path: /var/lib/etcd + owner: etcd:etcd + recurse: true + docker_config: + step_2: + etcd: + image: *etcd_image + net: host + privileged: false + restart: always + volumes: + - /var/lib/etcd:/var/lib/etcd + - /etc/localtime:/etc/localtime:ro + - /var/lib/kolla/config_files/etcd.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/etcd/etc/etcd/etcd.yml:/etc/etcd/etcd.yml:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + docker_puppet_tasks: + # Etcd keys initialization occurs only on single node + step_2: + config_volume: 'etcd_init_tasks' + puppet_tags: 'etcd_key' + step_config: 'include ::tripleo::profile::base::etcd' + config_image: *etcd_image + volumes: + - /var/lib/config-data/etcd/etc/:/etc + - /var/lib/etcd:/var/lib/etcd:ro + host_prep_tasks: + - name: create /var/lib/etcd + file: + path: /var/lib/etcd + state: directory + upgrade_tasks: + - name: Stop and disable etcd service + tags: step2 + service: name=etcd state=stopped enabled=no diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index ab62f7e3..ef1e00ed 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Glance service configured with Puppet @@ -26,15 +26,36 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + resources: + ContainersCommon: + type: ./containers-common.yaml + GlanceApiPuppetBase: type: ../../puppet/services/glance-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -49,51 +70,82 @@ outputs: get_attr: [GlanceApiPuppetBase, role_data, step_config] service_config_settings: {get_attr: [GlanceApiPuppetBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS # - docker_image: &glance_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerGlanceApiImage} ] puppet_config: config_volume: glance_api puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config step_config: *step_config - config_image: *glance_image + config_image: &glance_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerGlanceApiImage} ] kolla_config: - /var/lib/kolla/config_files/glance-api.json: - command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf - config_files: - - dest: /etc/glance/glance-api.conf - owner: glance - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/glance/glance-api.conf - - dest: /etc/glance/glance-swift.conf - owner: glance - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/glance/glance-swift.conf + /var/lib/kolla/config_files/glance-api.json: + command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf + /var/lib/kolla/config_files/glance_api_tls_proxy.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: + # Kolla_bootstrap/db_sync runs before permissions set by kolla_config step_3: + glance_init_logs: + start_order: 0 + image: *glance_image + privileged: false + user: root + volumes: + - /var/log/containers/glance:/var/log/glance + command: ['/bin/bash', '-c', 'chown -R glance:glance /var/log/glance'] glance_api_db_sync: + start_order: 1 image: *glance_image net: host privileged: false detach: false volumes: &glance_volumes - - /var/lib/kolla/config_files/glance-api.json:/var/lib/kolla/config_files/config.json - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /var/lib/config-data/glance_api/:/var/lib/kolla/config_files/src:ro - - /run:/run - - /dev:/dev - - /etc/hosts:/etc/hosts:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/glance-api.json:/var/lib/kolla/config_files/config.json + - /var/lib/config-data/glance_api/etc/glance/:/etc/glance/:ro + - /var/log/containers/glance:/var/log/glance environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_4: - glance_api: - image: *glance_image - net: host - privileged: false - restart: always - volumes: *glance_volumes - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - glance_api: + start_order: 2 + image: *glance_image + net: host + privileged: false + restart: always + volumes: *glance_volumes + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - glance_api_tls_proxy: + start_order: 2 + image: *glance_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/glance_api/etc/httpd/:/etc/httpd/:ro + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/glance + state: directory + upgrade_tasks: + - name: Stop and disable glance_api service + tags: step2 + service: name=openstack-glance-api state=stopped enabled=no diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml new file mode 100644 index 00000000..9b474731 --- /dev/null +++ b/docker/services/gnocchi-api.yaml @@ -0,0 +1,147 @@ +heat_template_version: pike + +description: > + OpenStack containerized gnocchi service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerGnocchiApiImage: + description: image + default: 'centos-binary-gnocchi-api:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + GnocchiApiPuppetBase: + type: ../../puppet/services/gnocchi-api.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the gnocchi API role. + value: + service_name: {get_attr: [GnocchiApiPuppetBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [GnocchiApiPuppetBase, role_data, config_settings] + - apache::default_vhost: false + step_config: &step_config + get_attr: [GnocchiApiPuppetBase, role_data, step_config] + service_config_settings: {get_attr: [GnocchiApiPuppetBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: gnocchi + puppet_tags: gnocchi_api_paste_ini,gnocchi_config + step_config: *step_config + config_image: &gnocchi_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiApiImage} ] + kolla_config: + /var/lib/kolla/config_files/gnocchi-api.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/gnocchi + owner: gnocchi:gnocchi + recurse: true + docker_config: + # db sync runs before permissions set by kolla_config + step_3: + gnocchi_init_log: + start_order: 0 + image: *gnocchi_image + user: root + volumes: + - /var/log/containers/gnocchi:/var/log/gnocchi + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R gnocchi:gnocchi /var/log/gnocchi'] + gnocchi_db_sync: + start_order: 1 + image: *gnocchi_image + net: host + detach: false + privileged: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro + - /var/log/containers/gnocchi:/var/log/gnocchi + command: ["/usr/bin/gnocchi-upgrade", "--skip-storage"] + step_4: + gnocchi_api: + image: *gnocchi_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/gnocchi-api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro + - /var/lib/config-data/gnocchi/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/gnocchi/var/www/:/var/www/:ro + - /var/log/containers/gnocchi:/var/log/gnocchi + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/gnocchi + state: directory + upgrade_tasks: + - name: Stop and disable httpd service + tags: step2 + service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [GnocchiApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml new file mode 100644 index 00000000..2724805b --- /dev/null +++ b/docker/services/gnocchi-metricd.yaml @@ -0,0 +1,101 @@ +heat_template_version: pike + +description: > + OpenStack containerized Gnocchi Metricd service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerGnocchiMetricdImage: + description: image + default: 'centos-binary-gnocchi-metricd:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + GnocchiMetricdBase: + type: ../../puppet/services/gnocchi-metricd.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Gnocchi API role. + value: + service_name: {get_attr: [GnocchiMetricdBase, role_data, service_name]} + config_settings: {get_attr: [GnocchiMetricdBase, role_data, config_settings]} + step_config: &step_config + get_attr: [GnocchiMetricdBase, role_data, step_config] + service_config_settings: {get_attr: [GnocchiMetricdBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: gnocchi + puppet_tags: gnocchi_config + step_config: *step_config + config_image: &gnocchi_metricd_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiMetricdImage} ] + kolla_config: + /var/lib/kolla/config_files/gnocchi-metricd.json: + command: /usr/bin/gnocchi-metricd + permissions: + - path: /var/log/gnocchi + owner: gnocchi:gnocchi + recurse: true + docker_config: + step_4: + gnocchi_metricd: + image: *gnocchi_metricd_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/gnocchi-metricd.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro + - /var/log/containers/gnocchi:/var/log/gnocchi + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/gnocchi + state: directory + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-metricd service + tags: step2 + service: name=openstack-gnocchi-metricd.service state=stopped enabled=no diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml new file mode 100644 index 00000000..305971f1 --- /dev/null +++ b/docker/services/gnocchi-statsd.yaml @@ -0,0 +1,101 @@ +heat_template_version: pike + +description: > + OpenStack containerized Gnocchi Statsd service + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerGnocchiStatsdImage: + description: image + default: 'centos-binary-gnocchi-statsd:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + GnocchiStatsdBase: + type: ../../puppet/services/gnocchi-statsd.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Gnocchi API role. + value: + service_name: {get_attr: [GnocchiStatsdBase, role_data, service_name]} + config_settings: {get_attr: [GnocchiStatsdBase, role_data, config_settings]} + step_config: &step_config + get_attr: [GnocchiStatsdBase, role_data, step_config] + service_config_settings: {get_attr: [GnocchiStatsdBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: gnocchi + puppet_tags: gnocchi_config + step_config: *step_config + config_image: &gnocchi_statsd_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerGnocchiStatsdImage} ] + kolla_config: + /var/lib/kolla/config_files/gnocchi-statsd.json: + command: /usr/bin/gnocchi-statsd + permissions: + - path: /var/log/gnocchi + owner: gnocchi:gnocchi + recurse: true + docker_config: + step_4: + gnocchi_statsd: + image: *gnocchi_statsd_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/gnocchi-statsd.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro + - /var/log/containers/gnocchi:/var/log/gnocchi + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/gnocchi + state: directory + upgrade_tasks: + - name: Stop and disable openstack-gnocchi-statsd service + tags: step2 + service: name=openstack-gnocchi-statsd.service state=stopped enabled=no diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index fbaacbe6..2631928f 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Heat API CFN service @@ -12,10 +12,10 @@ parameters: description: image default: 'centos-binary-heat-api-cfn:latest' type: string - # we configure all heat services in the same heat engine container - DockerHeatEngineImage: + # puppet needs the heat-wsgi-api-cfn binary from centos-binary-heat-api-cfn + DockerHeatConfigImage: description: image - default: 'centos-binary-heat-engine:latest' + default: 'centos-binary-heat-api-cfn:latest' type: string EndpointMap: default: {} @@ -31,16 +31,35 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ./containers-common.yaml + HeatBase: type: ../../puppet/services/heat-api-cfn.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -55,39 +74,61 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_api_cfn_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiCfnImage} ] puppet_config: - config_volume: heat + config_volume: heat_api_cfn puppet_tags: heat_config,file,concat,file_line step_config: *step_config config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerHeatConfigImage} ] kolla_config: - /var/lib/kolla/config_files/heat_api_cfn.json: - command: /usr/bin/heat-api-cfn --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_api_cfn.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/heat + owner: heat:heat + recurse: true docker_config: step_4: heat_api_cfn: - image: *heat_api_cfn_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiCfnImage} ] net: host privileged: false restart: always + # NOTE(mandre) kolla image changes the user to 'heat', we need it + # to be root to run httpd + user: root volumes: - - /run:/run - - /var/lib/kolla/config_files/heat_api_cfn.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/heat_api_cfn.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/heat_api_cfn/etc/heat/:/etc/heat/:ro + - /var/lib/config-data/heat_api_cfn/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/heat_api_cfn/var/www/:/var/www/:ro + - /var/log/containers/heat:/var/log/heat + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/heat + state: directory + upgrade_tasks: + - name: Stop and disable heat_api_cfn service + tags: step2 + service: name=httpd state=stopped enabled=no diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index df9160f4..b2f4eb64 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Heat API service @@ -12,10 +12,10 @@ parameters: description: image default: 'centos-binary-heat-api:latest' type: string - # we configure all heat services in the same heat engine container - DockerHeatEngineImage: + # puppet needs the heat-wsgi-api binary from centos-binary-heat-api + DockerHeatConfigImage: description: image - default: 'centos-binary-heat-engine:latest' + default: 'centos-binary-heat-api:latest' type: string EndpointMap: default: {} @@ -31,16 +31,35 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ./containers-common.yaml + HeatBase: type: ../../puppet/services/heat-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -55,39 +74,61 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiImage} ] puppet_config: - config_volume: heat + config_volume: heat_api puppet_tags: heat_config,file,concat,file_line step_config: *step_config config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerHeatConfigImage} ] kolla_config: - /var/lib/kolla/config_files/heat_api.json: - command: /usr/bin/heat-api --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_api.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/heat + owner: heat:heat + recurse: true docker_config: step_4: heat_api: - image: *heat_api_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatApiImage} ] net: host privileged: false restart: always + # NOTE(mandre) kolla image changes the user to 'heat', we need it + # to be root to run httpd + user: root volumes: - - /run:/run - - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/heat_api/etc/heat/:/etc/heat/:ro + - /var/lib/config-data/heat_api/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/heat_api/var/www/:/var/www/:ro + - /var/log/containers/heat:/var/log/heat + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/heat + state: directory + upgrade_tasks: + - name: Stop and disable heat_api service + tags: step2 + service: name=httpd state=stopped enabled=no diff --git a/docker/services/heat-engine.yaml b/docker/services/heat-engine.yaml index c8259f93..8c554a50 100644 --- a/docker/services/heat-engine.yaml +++ b/docker/services/heat-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Heat Engine service @@ -26,16 +26,29 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + HeatBase: type: ../../puppet/services/heat-engine.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -50,34 +63,43 @@ outputs: get_attr: [HeatBase, role_data, step_config] service_config_settings: {get_attr: [HeatBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &heat_engine_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] puppet_config: config_volume: heat puppet_tags: heat_config,file,concat,file_line step_config: *step_config - config_image: *heat_engine_image + config_image: &heat_engine_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerHeatEngineImage} ] kolla_config: - /var/lib/kolla/config_files/heat_engine.json: - command: /usr/bin/heat-engine --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf - config_files: - - dest: /etc/heat/heat.conf - owner: heat - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/heat/heat.conf + /var/lib/kolla/config_files/heat_engine.json: + command: /usr/bin/heat-engine --config-file /usr/share/heat/heat-dist.conf --config-file /etc/heat/heat.conf + permissions: + - path: /var/log/heat + owner: heat:heat + recurse: true docker_config: + # db sync runs before permissions set by kolla_config step_3: + heat_init_log: + start_order: 0 + image: *heat_engine_image + user: root + volumes: + - /var/log/containers/heat:/var/log/heat + command: ['/bin/bash', '-c', 'chown -R heat:heat /var/log/heat'] heat_engine_db_sync: + start_order: 1 image: *heat_engine_image net: host privileged: false detach: false volumes: - - /var/lib/config-data/heat/etc/heat:/etc/heat:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro + - /var/log/containers/heat:/var/log/heat command: ['heat-manage', 'db_sync'] step_4: heat_engine: @@ -86,10 +108,20 @@ outputs: privileged: false restart: always volumes: - - /run:/run - - /var/lib/kolla/config_files/heat_engine.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/heat/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/heat_engine.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro + - /var/log/containers/heat:/var/log/heat environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/heat + state: directory + upgrade_tasks: + - name: Stop and disable heat_engine service + tags: step2 + service: name=openstack-heat-engine state=stopped enabled=no diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 97ba9706..300aa0bd 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Ironic API service @@ -30,15 +30,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + IronicApiBase: type: ../../puppet/services/ironic-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -52,10 +65,6 @@ outputs: get_attr: [IronicApiBase, role_data, step_config] service_config_settings: {get_attr: [IronicApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicApiImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -65,26 +74,38 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_api.json: - command: /usr/bin/ironic-api - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf + /var/lib/kolla/config_files/ironic_api.json: + command: /usr/bin/ironic-api + permissions: + - path: /var/log/ironic + owner: ironic:ironic + recurse: true docker_config: + # db sync runs before permissions set by kolla_config step_3: + ironic_init_logs: + start_order: 0 + image: &ironic_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicApiImage} ] + privileged: false + user: root + volumes: + - /var/log/containers/ironic:/var/log/ironic + command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic'] ironic_db_sync: + start_order: 1 image: *ironic_image net: host privileged: false detach: false volumes: - - /var/lib/config-data/ironic/etc/:/etc/:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/ironic/etc/:/etc/:ro + - /var/log/containers/ironic:/var/log/ironic command: ['ironic-dbsync', '--config-file', '/etc/ironic/ironic.conf'] step_4: ironic_api: @@ -94,9 +115,20 @@ outputs: privileged: false restart: always volumes: - - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ironic/etc/:/etc/:ro + - /var/log/containers/ironic:/var/log/ironic environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/ironic + state: directory + upgrade_tasks: + - name: Stop and disable ironic_api service + tags: step2 + service: name=openstack-ironic-api state=stopped enabled=no diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml index 2cc29054..360eb669 100644 --- a/docker/services/ironic-conductor.yaml +++ b/docker/services/ironic-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Ironic Conductor service @@ -30,15 +30,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + IronicConductorBase: type: ../../puppet/services/ironic-conductor.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -50,6 +63,7 @@ outputs: - get_attr: [IronicConductorBase, role_data, config_settings] # to avoid hard linking errors we store these on the same # volume/device as the ironic master_path + # https://github.com/docker/docker/issues/7457 - ironic::drivers::pxe::tftp_root: /var/lib/ironic/tftpboot - ironic::drivers::pxe::tftp_master_path: /var/lib/ironic/tftpboot/master_images - ironic::pxe::tftp_root: /var/lib/ironic/tftpboot @@ -59,10 +73,6 @@ outputs: get_attr: [IronicConductorBase, role_data, step_config] service_config_settings: {get_attr: [IronicConductorBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicConductorImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -72,43 +82,77 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_conductor.json: - command: /usr/bin/ironic-conductor - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - permissions: - - path: /var/lib/ironic/httpboot - owner: ironic:ironic - recurse: true - - path: /var/lib/ironic/tftpboot - owner: ironic:ironic - recurse: true + /var/lib/kolla/config_files/ironic_conductor.json: + command: /usr/bin/ironic-conductor + permissions: + - path: /var/lib/ironic + owner: ironic:ironic + recurse: true + - path: /var/log/ironic + owner: ironic:ironic + recurse: true docker_config: step_4: - ironic-init-dirs: - image: *ironic_image - user: root - command: ['/bin/bash', '-c', 'mkdir /var/lib/ironic/httpboot && mkdir /var/lib/ironic/tftpboot'] - volumes: - - ironic:/var/lib/ironic ironic_conductor: start_order: 80 - image: *ironic_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicConductorImage} ] net: host privileged: true restart: always volumes: - - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /sys:/sys - - /dev:/dev - - /run:/run #shared? - - ironic:/var/lib/ironic + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_conductor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro + - /lib/modules:/lib/modules:ro + - /sys:/sys + - /dev:/dev + - /run:/run #shared? + - /var/lib/ironic:/var/lib/ironic + - /var/log/containers/ironic:/var/log/ironic environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/ironic + - /var/lib/ironic + - name: stat /httpboot + stat: path=/httpboot + register: stat_httpboot + - name: stat /tftpboot + stat: path=/tftpboot + register: stat_tftpboot + - name: stat /var/lib/ironic/httpboot + stat: path=/var/lib/ironic/httpboot + register: stat_ironic_httpboot + - name: stat /var/lib/ironic/tftpboot + stat: path=/var/lib/ironic/tftpboot + register: stat_ironic_tftpboot + # cannot use 'copy' module as with 'remote_src' it doesn't support recursion + - name: migrate /httpboot to containerized (if applicable) + command: /bin/cp -R /httpboot /var/lib/ironic/httpboot + when: stat_httpboot.stat.exists and not stat_ironic_httpboot.stat.exists + - name: migrate /tftpboot to containerized (if applicable) + command: /bin/cp -R /tftpboot /var/lib/ironic/tftpboot + when: stat_tftpboot.stat.exists and not stat_ironic_tftpboot.stat.exists + # Even if there was nothing to copy from original locations, + # we need to create the dirs before starting the containers + - name: ensure ironic pxe directories exist + file: + path: /var/lib/ironic/{{ item }} + state: directory + with_items: + - httpboot + - tftpboot + upgrade_tasks: + - name: Stop and disable ironic_conductor service + tags: step2 + service: name=openstack-ironic-conductor state=stopped enabled=no diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index 25505192..bc828e65 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Ironic PXE service @@ -30,6 +30,19 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml outputs: role_data: @@ -40,10 +53,6 @@ outputs: step_config: &step_config '' service_config_settings: {} # BEGIN DOCKER SETTINGS - docker_image: &ironic_pxe_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerIronicPxeImage} ] puppet_config: config_volume: ironic puppet_tags: ironic_config @@ -53,67 +62,43 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerIronicConfigImage} ] kolla_config: - /var/lib/kolla/config_files/ironic_pxe_http.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - - dest: /etc/httpd/conf.d/10-ipxe_vhost.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-ipxe_vhost.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - /var/lib/kolla/config_files/ironic_pxe_tftp.json: - command: /usr/sbin/in.tftpd --foreground --user root --address 0.0.0.0:69 --map-file /var/lib/ironic/tftpboot/map-file /var/lib/ironic/tftpboot - config_files: - - dest: /etc/ironic/ironic.conf - owner: ironic - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/ironic/ironic.conf - - dest: /var/lib/ironic/tftpboot/chain.c32 - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/chain.c32 - - dest: /var/lib/ironic/tftpboot/pxelinux.0 - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/pxelinux.0 - - dest: /var/lib/ironic/tftpboot/ipxe.efi - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/ipxe.efi - - dest: /var/lib/ironic/tftpboot/undionly.kpxe - owner: ironic - perm: '0744' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/undionly.kpxe - - dest: /var/lib/ironic/tftpboot/map-file - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/var/lib/ironic/tftpboot/map-file + /var/lib/kolla/config_files/ironic_pxe_http.json: + command: /usr/sbin/httpd -DFOREGROUND + /var/lib/kolla/config_files/ironic_pxe_tftp.json: + command: /usr/sbin/in.tftpd --foreground --user root --address 0.0.0.0:69 --map-file /var/lib/ironic/tftpboot/map-file /var/lib/ironic/tftpboot + permissions: + - path: /var/log/ironic + owner: ironic:ironic + recurse: true docker_config: step_4: ironic_pxe_tftp: start_order: 90 - image: *ironic_pxe_image + image: &ironic_pxe_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerIronicPxeImage} ] net: host privileged: false restart: always volumes: - - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /dev/log:/dev/log - - ironic:/var/lib/ironic/ + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro + # TODO(mandre) check how docker like mounting in a bind-mounted tree + # This directory may contain migrated data from BM + - /var/lib/ironic:/var/lib/ironic/ + # These files were generated by puppet inside the config container + # TODO(mandre) check the mount permission (ro/rw) + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/chain.c32:/var/lib/ironic/tftpboot/chain.c32 + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/pxelinux.0:/var/lib/ironic/tftpboot/pxelinux.0 + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/ipxe.efi:/var/lib/ironic/tftpboot/ipxe.efi + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/undionly.kpxe:/var/lib/ironic/tftpboot/undionly.kpxe + - /var/lib/config-data/ironic/var/lib/ironic/tftpboot/map-file:/var/lib/ironic/tftpboot/map-file + - /dev/log:/dev/log + - /var/log/containers/ironic:/var/log/ironic environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_pxe_http: @@ -123,11 +108,22 @@ outputs: privileged: false restart: always volumes: - - /var/lib/kolla/config_files/ironic_pxe_http.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/ironic/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/ironic/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - ironic:/var/lib/ironic/ + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/ironic_pxe_http.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/ironic/etc/ironic/:/etc/ironic/:ro + - /var/lib/config-data/ironic/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/ironic/var/www/:/var/www/:ro + - /var/lib/ironic:/var/lib/ironic/ + - /var/log/containers/ironic:/var/log/ironic environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/lib/ironic + - /var/log/containers/ironic diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index f9b94a74..ca643749 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Keystone service @@ -26,19 +26,45 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json AdminPassword: description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true + KeystoneTokenProvider: + description: The keystone token format + type: string + default: 'fernet' + constraints: + - allowed_values: ['uuid', 'fernet'] + EnableInternalTLS: + type: boolean + default: false resources: + ContainersCommon: + type: ./containers-common.yaml + KeystoneBase: type: ../../puppet/services/keystone.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -56,64 +82,27 @@ outputs: - {get_attr: [KeystoneBase, role_data, step_config]} service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &keystone_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] puppet_config: config_volume: keystone puppet_tags: keystone_config step_config: *step_config - config_image: *keystone_image + config_image: &keystone_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] kolla_config: - /var/lib/kolla/config_files/keystone.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/keystone/keystone.conf - owner: keystone - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/keystone/keystone.conf - - dest: /etc/keystone/credential-keys/0 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/0 - - dest: /etc/keystone/credential-keys/1 - owner: keystone - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1 - - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_admin.conf - - dest: /etc/httpd/conf.d/10-keystone_wsgi_main.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_main.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/keystone/keystone-admin - owner: keystone - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-admin - - dest: /var/www/cgi-bin/keystone/keystone-public - owner: keystone - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-public + /var/lib/kolla/config_files/keystone.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: + # Kolla_bootstrap/db sync runs before permissions set by kolla_config step_3: - keystone-init-log: + keystone_init_log: start_order: 0 image: *keystone_image user: root - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && mkdir -p /var/log/keystone && chown keystone:keystone /var/log/keystone'] + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R keystone:keystone /var/log/keystone'] volumes: - - logs:/var/log + - /var/log/containers/keystone:/var/log/keystone keystone_db_sync: start_order: 1 image: *keystone_image @@ -121,12 +110,24 @@ outputs: privileged: false detach: false volumes: &keystone_volumes - - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/keystone/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/keystone/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - logs:/var/log + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/keystone/var/www/:/var/www/:ro + - /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro + - /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro + - /var/log/containers/keystone:/var/log/keystone + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -150,7 +151,15 @@ outputs: config_volume: 'keystone_init_tasks' puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain' step_config: 'include ::tripleo::profile::base::keystone' - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerKeystoneImage} ] + config_image: *keystone_image + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/keystone + state: directory + upgrade_tasks: + - name: Stop and disable keystone service (running under httpd) + tags: step2 + service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [KeystoneBase, role_data, metadata_settings] diff --git a/docker/services/memcached.yaml b/docker/services/memcached.yaml index 3e51f5b4..d85a0878 100644 --- a/docker/services/memcached.yaml +++ b/docker/services/memcached.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Memcached services @@ -26,15 +26,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + MemcachedBase: type: ../../puppet/services/memcached.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -46,27 +59,42 @@ outputs: get_attr: [MemcachedBase, role_data, step_config] service_config_settings: {get_attr: [MemcachedBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &memcached_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMemcachedImage} ] puppet_config: config_volume: 'memcached' puppet_tags: 'file' step_config: *step_config - config_image: *memcached_image + config_image: &memcached_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMemcachedImage} ] kolla_config: {} docker_config: step_1: + memcached_init_logs: + start_order: 0 + image: *memcached_image + privileged: false + user: root + volumes: + - /var/lib/config-data/memcached/etc/sysconfig/memcached:/etc/sysconfig/memcached:ro + - /var/log/memcached.log:/var/log/memcached.log + command: ['/bin/bash', '-c', 'source /etc/sysconfig/memcached; chown ${USER} /var/log/memcached.log'] memcached: + start_order: 1 image: *memcached_image net: host privileged: false restart: always volumes: - - /var/lib/config-data/memcached/etc/sysconfig/memcached:/etc/sysconfig/memcached:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/memcached/etc/sysconfig/memcached:/etc/sysconfig/memcached:ro + # TODO(bogdando) capture memcached syslog logs from a container command: ['/bin/bash', '-c', 'source /etc/sysconfig/memcached; /usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS'] environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + upgrade_tasks: + - name: Stop and disable memcached service + tags: step2 + service: name=memcached state=stopped enabled=no diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index 843d5b23..3b256fdd 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Mistral API service @@ -30,15 +30,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + MistralApiBase: type: ../../puppet/services/mistral-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -52,10 +65,6 @@ outputs: get_attr: [MistralApiBase, role_data, step_config] service_config_settings: {get_attr: [MistralApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralApiImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -65,15 +74,26 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_api.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/api.log --server=api - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_api.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/api.log --server=api + permissions: + - path: /var/log/mistral + owner: mistral:mistral + recurse: true docker_config: + # db sync runs before permissions set by kolla_config step_3: + mistral_init_logs: + start_order: 0 + image: &mistral_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralApiImage} ] + privileged: false + user: root + volumes: + - /var/log/containers/mistral:/var/log/mistral + command: ['/bin/bash', '-c', 'chown -R mistral:mistral /var/log/mistral'] mistral_db_sync: start_order: 1 image: *mistral_image @@ -81,11 +101,11 @@ outputs: privileged: false detach: false volumes: - - /var/lib/config-data/mistral/etc/:/etc/:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/mistral/etc/:/etc/:ro + - /var/log/containers/mistral:/var/log/mistral command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'upgrade', 'head'] mistral_db_populate: start_order: 2 @@ -94,11 +114,11 @@ outputs: privileged: false detach: false volumes: - - /var/lib/config-data/mistral/etc/:/etc/:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/mistral/etc/:/etc/:ro + - /var/log/containers/mistral:/var/log/mistral # NOTE: dprince this requires that we install openstack-tripleo-common into # the Mistral API image so that we get tripleo* actions command: ['mistral-db-manage', '--config-file', '/etc/mistral/mistral.conf', 'populate'] @@ -110,9 +130,20 @@ outputs: privileged: false restart: always volumes: - - /var/lib/kolla/config_files/mistral_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/mistral_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro + - /var/log/containers/mistral:/var/log/mistral environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/mistral + state: directory + upgrade_tasks: + - name: Stop and disable mistral_api service + tags: step2 + service: name=openstack-mistral-api state=stopped enabled=no diff --git a/docker/services/mistral-engine.yaml b/docker/services/mistral-engine.yaml index e50fc0a6..d60d847b 100644 --- a/docker/services/mistral-engine.yaml +++ b/docker/services/mistral-engine.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Mistral Engine service @@ -30,16 +30,29 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + MistralBase: type: ../../puppet/services/mistral-engine.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -53,10 +66,6 @@ outputs: get_attr: [MistralBase, role_data, step_config] service_config_settings: {get_attr: [MistralBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_engine_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralEngineImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -66,25 +75,38 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_engine.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/engine.log --server=engine - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_engine.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/engine.log --server=engine + permissions: + - path: /var/log/mistral + owner: mistral:mistral + recurse: true docker_config: step_4: mistral_engine: - image: *mistral_engine_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralEngineImage} ] net: host privileged: false restart: always volumes: - - /run:/run - - /var/lib/kolla/config_files/mistral_engine.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /run:/run + - /var/lib/kolla/config_files/mistral_engine.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro + - /var/log/containers/mistral:/var/log/mistral environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/mistral + state: directory + upgrade_tasks: + - name: Stop and disable mistral_engine service + tags: step2 + service: name=openstack-mistral-engine state=stopped enabled=no diff --git a/docker/services/mistral-executor.yaml b/docker/services/mistral-executor.yaml index 8833154e..76ae052b 100644 --- a/docker/services/mistral-executor.yaml +++ b/docker/services/mistral-executor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Mistral Executor service @@ -30,16 +30,29 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + MistralBase: type: ../../puppet/services/mistral-executor.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -53,10 +66,6 @@ outputs: get_attr: [MistralBase, role_data, step_config] service_config_settings: {get_attr: [MistralBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &mistral_executor_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMistralExecutorImage} ] puppet_config: config_volume: mistral puppet_tags: mistral_config @@ -66,29 +75,42 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerMistralConfigImage} ] kolla_config: - /var/lib/kolla/config_files/mistral_executor.json: - command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor - config_files: - - dest: /etc/mistral/mistral.conf - owner: mistral - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/mistral/mistral.conf + /var/lib/kolla/config_files/mistral_executor.json: + command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor + permissions: + - path: /var/log/mistral + owner: mistral:mistral + recurse: true docker_config: step_4: mistral_executor: - image: *mistral_executor_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerMistralExecutorImage} ] net: host privileged: false restart: always volumes: - - /run:/run - - /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/mistral/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - # FIXME: this is required in order for Nova cells - # initialization workflows on the Undercloud. Need to - # exclude this on the overcloud for security reasons. - - /var/lib/config-data/nova/etc/nova:/etc/nova:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/mistral_executor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro + - /run:/run + # FIXME: this is required in order for Nova cells + # initialization workflows on the Undercloud. Need to + # exclude this on the overcloud for security reasons. + - /var/lib/config-data/nova/etc/nova:/etc/nova:ro + - /var/log/containers/mistral:/var/log/mistral environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/mistral + state: directory + upgrade_tasks: + - name: Stop and disable mistral_executor service + tags: step2 + service: name=openstack-mistral-executor state=stopped enabled=no diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml index bf19586c..748371d5 100644 --- a/docker/services/neutron-api.yaml +++ b/docker/services/neutron-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Neutron API service @@ -15,7 +15,7 @@ parameters: # we configure all neutron services in the same neutron DockerNeutronConfigImage: description: image - default: 'centos-binary-neutron-openvswitch-agent:latest' + default: 'centos-binary-neutron-server:latest' type: string EndpointMap: default: {} @@ -31,15 +31,35 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ./containers-common.yaml + NeutronBase: type: ../../puppet/services/neutron-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -53,10 +73,6 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &neutron_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_api_config @@ -66,20 +82,30 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: - /var/lib/kolla/config_files/neutron_api.json: - command: /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/plugin.ini - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/ml2_conf.ini + /var/lib/kolla/config_files/neutron_api.json: + command: /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true + /var/lib/kolla/config_files/neutron_server_tls_proxy.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: + # db sync runs before permissions set by kolla_config step_3: + neutron_init_logs: + start_order: 0 + image: &neutron_api_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] + privileged: false + user: root + volumes: + - /var/log/containers/neutron:/var/log/neutron + command: ['/bin/bash', '-c', 'chown -R neutron:neutron /var/log/neutron'] neutron_db_sync: + start_order: 1 image: *neutron_api_image net: host privileged: false @@ -88,21 +114,53 @@ outputs: # and run as neutron user user: root volumes: - - /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro - - /var/lib/config-data/neutron/usr/share/neutron:/usr/share/neutron:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro + - /var/lib/config-data/neutron/usr/share/neutron:/usr/share/neutron:ro + - /var/log/containers/neutron:/var/log/neutron command: ['neutron-db-manage', 'upgrade', 'heads'] step_4: - neutron_api: - image: *neutron_api_image - net: host - privileged: false - restart: always - volumes: - - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - neutron_api: + image: *neutron_api_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /var/log/containers/neutron:/var/log/neutron + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - neutron_server_tls_proxy: + image: *neutron_api_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/httpd/:/etc/httpd/:ro + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_api service + tags: step2 + service: name=neutron-server state=stopped enabled=no diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 15f3055e..d14f5251 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Neutron DHCP service @@ -8,14 +8,14 @@ parameters: description: namespace default: 'tripleoupstream' type: string - DockerNeutronApiImage: + DockerNeutronDHCPImage: description: image default: 'centos-binary-neutron-dhcp-agent:latest' type: string # we configure all neutron services in the same neutron DockerNeutronConfigImage: description: image - default: 'centos-binary-neutron-openvswitch-agent:latest' + default: 'centos-binary-neutron-server:latest' type: string EndpointMap: default: {} @@ -31,15 +31,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + NeutronBase: type: ../../puppet/services/neutron-dhcp.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -53,10 +66,6 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &neutron_dhcp_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronApiImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_dhcp_agent_config @@ -66,31 +75,40 @@ outputs: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: - /var/lib/kolla/config_files/neutron_dhcp.json: - command: /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/dhcp_agent.ini - owner: neutron - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/neutron/dhcp_agent.ini + /var/lib/kolla/config_files/neutron_dhcp.json: + command: /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutron_dhcp: - image: *neutron_dhcp_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronDHCPImage} ] net: host pid: host privileged: true restart: always volumes: - - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron/:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /etc/hosts:/etc/hosts:ro - - /lib/modules:/lib/modules:ro - - /run/:/run + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /lib/modules:/lib/modules:ro + - /run/:/run + - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_dhcp service + tags: step2 + service: name=neutron-dhcp-agent state=stopped enabled=no diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index c74ab4fe..97901bc8 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Neutron L3 agent @@ -15,7 +15,7 @@ parameters: # we configure all neutron services in the same neutron DockerNeutronConfigImage: description: image - default: 'centos-binary-neutron-openvswitch-agent:latest' + default: 'centos-binary-neutron-server:latest' type: string ServiceNetMap: default: {} @@ -26,6 +26,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -34,12 +42,17 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml + NeutronL3Base: type: ../../puppet/services/neutron-l3.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -47,42 +60,47 @@ outputs: value: service_name: {get_attr: [NeutronL3Base, role_data, service_name]} config_settings: {get_attr: [NeutronL3Base, role_data, config_settings]} - step_config: {get_attr: [NeutronL3Base, role_data, step_config]} - docker_image: &neutron_l3_agent_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] - puppet_tags: neutron_config,neutron_l3_agent_config - config_volume: neutron - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] + step_config: &step_config + get_attr: [NeutronL3Base, role_data, step_config] + puppet_config: + puppet_tags: neutron_config,neutron_l3_agent_config + config_volume: neutron + step_config: *step_config + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: /var/lib/kolla/config_files/neutron-l3-agent.json: - command: /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/l3_agent.ini - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/neutron/l3_agent.ini + command: /usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/l3_agent.ini + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutronl3agent: - image: *neutron_l3_agent_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronL3AgentImage} ] net: host pid: host privileged: true restart: always volumes: - - /var/lib/kolla/config_files/neutron-l3-agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /run:/run + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron-l3-agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml new file mode 100644 index 00000000..88b2ca5c --- /dev/null +++ b/docker/services/neutron-metadata.yaml @@ -0,0 +1,110 @@ +heat_template_version: pike + +description: > + OpenStack containerized Neutron Metadata agent + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerNeutronMetadataImage: + description: image + default: 'centos-binary-neutron-metadata-agent:latest' + type: string + # we configure all neutron services in the same neutron + DockerNeutronConfigImage: + description: image + default: 'centos-binary-neutron-server:latest' + type: string + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + NeutronMetadataBase: + type: ../../puppet/services/neutron-metadata.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for Neutron Metadata agent + value: + service_name: {get_attr: [NeutronMetadataBase, role_data, service_name]} + config_settings: {get_attr: [NeutronMetadataBase, role_data, config_settings]} + step_config: &step_config + get_attr: [NeutronMetadataBase, role_data, step_config] + puppet_config: + puppet_tags: neutron_config,neutron_metadata_agent_config + config_volume: neutron + step_config: *step_config + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] + kolla_config: + /var/lib/kolla/config_files/neutron-metadata-agent.json: + command: /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true + docker_config: + step_4: + neutron_metadata_agent: + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronMetadataImage} ] + net: host + pid: host + privileged: true + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron-metadata-agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/log/containers/neutron:/var/log/neutron + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_metadata service + tags: step2 + service: name=neutron-metadata-agent state=stopped enabled=no diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index f6b29292..89bf8663 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Neutron openvswitch service @@ -12,6 +12,10 @@ parameters: description: image default: 'centos-binary-neutron-openvswitch-agent:latest' type: string + DockerNeutronConfigImage: + description: image + default: 'centos-binary-neutron-server:latest' + type: string ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -21,6 +25,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,12 +41,17 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml + NeutronOvsAgentBase: type: ../../puppet/services/neutron-ovs-agent.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -44,44 +61,49 @@ outputs: config_settings: {get_attr: [NeutronOvsAgentBase, role_data, config_settings]} step_config: &step_config get_attr: [NeutronOvsAgentBase, role_data, step_config] - docker_image: &neutron_ovs_agent_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] puppet_config: config_volume: neutron puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 step_config: *step_config - config_image: *neutron_ovs_agent_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: /var/lib/kolla/config_files/neutron-openvswitch-agent.json: - command: /usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini - config_files: - - dest: /etc/neutron/neutron.conf - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/neutron.conf - - dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/openvswitch_agent.ini - - dest: /etc/neutron/plugins/ml2/ml2_conf.ini - owner: neutron - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/neutron/plugins/ml2/ml2_conf.ini + command: /usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true docker_config: step_4: neutronovsagent: - image: *neutron_ovs_agent_image + image: &neutron_ovs_agent_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerOpenvswitchImage} ] net: host pid: host privileged: true restart: always volumes: - - /var/lib/kolla/config_files/neutron-openvswitch-agent.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/neutron:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /run:/run + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron-openvswitch-agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/log/containers/neutron:/var/log/neutron environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_ovs_agent service + tags: step2 + service: name=neutron-openvswitch-agent state=stopped enabled=no diff --git a/docker/services/neutron-plugin-ml2.yaml b/docker/services/neutron-plugin-ml2.yaml index 5d1a348a..1739a5b9 100644 --- a/docker/services/neutron-plugin-ml2.yaml +++ b/docker/services/neutron-plugin-ml2.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Neutron ML2 Plugin configured with Puppet @@ -21,11 +21,19 @@ parameters: type: string DockerNeutronConfigImage: description: image - default: 'centos-binary-neutron-openvswitch-agent:latest' + default: 'centos-binary-neutron-server:latest' type: string DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: @@ -35,6 +43,8 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -48,14 +58,13 @@ outputs: get_attr: [NeutronBase, role_data, step_config] service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &docker_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] puppet_config: config_volume: 'neutron' puppet_tags: '' step_config: *step_config - config_image: *docker_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNeutronConfigImage} ] kolla_config: {} docker_config: {} diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 28b3a9d0..d571b21b 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova API service @@ -12,7 +12,7 @@ parameters: description: image default: 'centos-binary-nova-api:latest' type: string - DockerNovaBaseImage: + DockerNovaConfigImage: description: image default: 'centos-binary-nova-base:latest' type: string @@ -30,15 +30,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + NovaApiBase: type: ../../puppet/services/nova-api.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -50,13 +63,12 @@ outputs: - get_attr: [NovaApiBase, role_data, config_settings] - apache::default_vhost: false step_config: &step_config - get_attr: [NovaApiBase, role_data, step_config] + list_join: + - "\n" + - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }" + - {get_attr: [NovaApiBase, role_data, step_config]} service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_api_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaApiImage} ] puppet_config: config_volume: nova puppet_tags: nova_config @@ -64,26 +76,40 @@ outputs: config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_api.json: - command: /usr/bin/nova-api - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_api.json: + command: /usr/bin/nova-api + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: + # db sync runs before permissions set by kolla_config step_3: + nova_init_logs: + start_order: 0 + image: &nova_api_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaApiImage} ] + privileged: false + user: root + volumes: + - /var/log/containers/nova:/var/log/nova + command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova'] nova_api_db_sync: start_order: 1 image: *nova_api_image net: host detach: false volumes: &nova_api_volumes - - /var/lib/config-data/nova/etc/:/etc/:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro + - /var/log/containers/nova:/var/log/nova command: ['/usr/bin/nova-manage', 'api_db', 'sync'] # FIXME: we probably want to wait on the 'cell_v2 update' in order for this # to be capable of upgrading a baremetal setup. This is to ensure the name @@ -128,15 +154,12 @@ outputs: user: nova privileged: true restart: always - volumes: - - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + volumes: *nova_api_volumes environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + step_5: nova_api_discover_hosts: - start_order: 3 + start_order: 1 image: *nova_api_image net: host detach: false @@ -145,3 +168,12 @@ outputs: - '/usr/bin/nova-manage' - 'cell_v2' - 'discover_hosts' + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/nova + state: directory + upgrade_tasks: + - name: Stop and disable nova_api service + tags: step2 + service: name=openstack-nova-api state=stopped enabled=no diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 9f4e353a..4f10a1a3 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Compute service @@ -21,6 +21,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -29,6 +37,8 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml NovaComputeBase: type: ../../puppet/services/nova-compute.yaml @@ -36,36 +46,43 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Nova Compute service. value: service_name: {get_attr: [NovaComputeBase, role_data, service_name]} - config_settings: {get_attr: [NovaComputeBase, role_data, config_settings]} + config_settings: + map_merge: + - get_attr: [NovaComputeBase, role_data, config_settings] + # FIXME: we need to disable migration for now as the + # hieradata is common for all services, and this means nova + # and nova_placement puppet runs also try to configure + # libvirt, and they fail. We can remove this override when + # we have hieradata separation between containers. + - tripleo::profile::base::nova::manage_migration: false step_config: &step_config get_attr: [NovaComputeBase, role_data, step_config] - docker_image: &nova_compute_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] puppet_config: config_volume: nova_libvirt puppet_tags: nova_config,nova_paste_api_ini step_config: *step_config - config_image: *nova_compute_image + config_image: &nova_compute_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] kolla_config: /var/lib/kolla/config_files/nova-compute.json: - command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/nova/rootwrap.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/rootwrap.conf + command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true + - path: /var/lib/nova + owner: nova:nova + recurse: true docker_config: # FIXME: run discover hosts here step_4: @@ -76,14 +93,30 @@ outputs: user: root restart: always volumes: - - /var/lib/kolla/config_files/nova-compute.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro - - /dev:/dev - - /etc/iscsi:/etc/iscsi - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /run:/run - - /var/lib/nova:/var/lib/nova - - libvirtd:/var/lib/libvirt + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova-compute.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro + - /dev:/dev + - /etc/iscsi:/etc/iscsi + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/lib/nova:/var/lib/nova + - /var/lib/libvirt:/var/lib/libvirt + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/nova + - /var/lib/nova + - /var/lib/libvirt + upgrade_tasks: + - name: Stop and disable nova-compute service + tags: step2 + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml index 73acd0ac..131355d7 100644 --- a/docker/services/nova-conductor.yaml +++ b/docker/services/nova-conductor.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Conductor service @@ -12,7 +12,7 @@ parameters: description: image default: 'centos-binary-nova-conductor:latest' type: string - DockerNovaBaseImage: + DockerNovaConfigImage: description: image default: 'centos-binary-nova-base:latest' type: string @@ -30,16 +30,29 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + NovaConductorBase: type: ../../puppet/services/nova-conductor.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -51,10 +64,6 @@ outputs: get_attr: [NovaConductorBase, role_data, step_config] service_config_settings: {get_attr: [NovaConductorBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_conductor_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaConductorImage} ] puppet_config: config_volume: nova puppet_tags: nova_config @@ -62,27 +71,39 @@ outputs: config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_conductor.json: - command: /usr/bin/nova-conductor - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_conductor.json: + command: /usr/bin/nova-conductor + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: step_4: nova_conductor: - image: *nova_conductor_image + image: &nova_conductor_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConductorImage} ] net: host privileged: false restart: always volumes: - - /run:/run - - /var/lib/kolla/config_files/nova_conductor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_conductor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/nova + state: directory + upgrade_tasks: + - name: Stop and disable nova_conductor service + tags: step2 + service: name=openstack-nova-conductor state=stopped enabled=no diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 5b46010f..be0dd111 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Ironic Compute service @@ -12,7 +12,7 @@ parameters: description: image default: 'centos-binary-nova-compute-ironic:latest' type: string - DockerNovaBaseImage: + DockerNovaConfigImage: description: image default: 'centos-binary-nova-base:latest' type: string @@ -25,6 +25,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -33,11 +41,17 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml NovaIronicBase: type: ../../puppet/services/nova-ironic.yaml properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -47,10 +61,6 @@ outputs: config_settings: {get_attr: [NovaIronicBase, role_data, config_settings]} step_config: &step_config get_attr: [NovaIronicBase, role_data, step_config] - docker_image: &nova_ironic_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] puppet_config: config_volume: nova puppet_tags: nova_config,nova_paste_api_ini @@ -58,34 +68,50 @@ outputs: config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: /var/lib/kolla/config_files/nova_ironic.json: - command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/nova/rootwrap.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/rootwrap.conf + command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true + - path: /var/lib/nova + owner: nova:nova + recurse: true docker_config: step_5: novacompute: - image: *nova_ironic_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] net: host privileged: true user: root restart: always volumes: - - /var/lib/kolla/config_files/nova_ironic.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - /dev:/dev - - /etc/iscsi:/etc/iscsi - - nova_compute:/var/lib/nova/ + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_ironic.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro + - /run:/run + - /dev:/dev + - /etc/iscsi:/etc/iscsi + - /var/lib/nova/:/var/lib/nova + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/nova + - /var/lib/nova + upgrade_tasks: + - name: Stop and disable nova-compute service + tags: step2 + service: name=openstack-nova-compute state=stopped enabled=no diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index ed54f3d9..ebf0da7d 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Libvirt Service @@ -14,7 +14,7 @@ parameters: type: string # we configure libvirt via the nova-compute container due to coupling # in the puppet modules - DockerNovaComputeImage: + DockerNovaConfigImage: description: image default: 'centos-binary-nova-compute:latest' type: string @@ -27,6 +27,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -35,25 +43,34 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml + NovaLibvirtBase: type: ../../puppet/services/nova-libvirt.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Libvirt service. value: service_name: {get_attr: [NovaLibvirtBase, role_data, service_name]} - config_settings: {get_attr: [NovaLibvirtBase, role_data, config_settings]} + config_settings: + map_merge: + - get_attr: [NovaLibvirtBase, role_data, config_settings] + # FIXME: we need to disable migration for now as the + # hieradata is common for all services, and this means nova + # and nova_placement puppet runs also try to configure + # libvirt, and they fail. We can remove this override when + # we have hieradata separation between containers. + - tripleo::profile::base::nova::manage_migration: false step_config: &step_config get_attr: [NovaLibvirtBase, role_data, step_config] - docker_image: &libvirt_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] puppet_config: config_volume: nova_libvirt puppet_tags: nova_config @@ -61,35 +78,53 @@ outputs: config_image: list_join: - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaComputeImage} ] + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: /var/lib/kolla/config_files/nova-libvirt.json: - command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf - config_files: - - dest: /etc/libvirt/libvirtd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/libvirt/libvirtd.conf + command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: step_3: nova_libvirt: - image: *libvirt_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerLibvirtImage} ] net: host pid: host privileged: true restart: always volumes: - - /var/lib/kolla/config_files/nova-libvirt.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_libvirt:/var/lib/kolla/config_files/src:ro - - /dev:/dev - - /etc/localtime:/etc/localtime:ro - - /lib/modules:/lib/modules:ro - - /run:/run - - /sys/fs/cgroup:/sys/fs/cgroup - - /var/lib/nova:/var/lib/nova - # Needed to use host's virtlogd - - /var/run/libvirt:/var/run/libvirt - - libvirtd:/var/lib/libvirt - - nova_libvirt_qemu:/etc/libvirt/qemu + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova-libvirt.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova_libvirt/etc/libvirt/:/etc/libvirt/:ro + - /lib/modules:/lib/modules:ro + - /dev:/dev + - /run:/run + - /sys/fs/cgroup:/sys/fs/cgroup + - /var/lib/nova:/var/lib/nova + # Needed to use host's virtlogd + - /var/run/libvirt:/var/run/libvirt + - /var/lib/libvirt:/var/lib/libvirt + - /etc/libvirt/qemu:/etc/libvirt/qemu + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create libvirt persistent data directories + file: + path: "{{ item }}" + state: directory + with_items: + - /etc/libvirt/qemu + - /var/lib/libvirt + - /var/log/containers/nova + upgrade_tasks: + - name: Stop and disable libvirtd service + tags: step2 + service: name=libvirtd state=stopped enabled=no diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml index 90c4c1c9..e158d3bc 100644 --- a/docker/services/nova-metadata.yaml +++ b/docker/services/nova-metadata.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Metadata service @@ -18,7 +18,14 @@ parameters: DefaultPasswords: default: {} type: json - + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: @@ -28,6 +35,8 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -41,7 +50,6 @@ outputs: get_attr: [NovaMetadataBase, role_data, step_config] service_config_settings: {get_attr: [NovaMetadataBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: '' puppet_config: config_volume: '' puppet_tags: '' diff --git a/docker/services/nova-placement.yaml b/docker/services/nova-placement.yaml index 54469795..ae4ccf68 100644 --- a/docker/services/nova-placement.yaml +++ b/docker/services/nova-placement.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Placement API service @@ -10,7 +10,7 @@ parameters: type: string DockerNovaPlacementImage: description: image - default: 'centos-binary-nova-placement-api' + default: 'centos-binary-nova-placement-api:latest' type: string EndpointMap: default: {} @@ -26,15 +26,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + NovaPlacementBase: type: ../../puppet/services/nova-placement.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -49,42 +62,21 @@ outputs: get_attr: [NovaPlacementBase, role_data, step_config] service_config_settings: {get_attr: [NovaPlacementBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_placement_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaPlacementImage} ] puppet_config: config_volume: nova_placement puppet_tags: nova_config step_config: *step_config - config_image: + config_image: &nova_placement_image list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerNovaPlacementImage} ] kolla_config: - /var/lib/kolla/config_files/nova_placement.json: - command: /usr/sbin/httpd -DFOREGROUND - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf - - dest: /etc/httpd/conf.d/10-placement_wsgi.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-placement_wsgi.conf - - dest: /etc/httpd/conf/httpd.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf - - dest: /etc/httpd/conf/ports.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf - - dest: /var/www/cgi-bin/nova/nova-placement-api - owner: nova - perm: '0644' - source: /var/lib/kolla/config_files/src/var/www/cgi-bin/nova/nova-placement-api + /var/lib/kolla/config_files/nova_placement.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: # start this early so it is up before computes start reporting step_3: @@ -95,10 +87,22 @@ outputs: user: root restart: always volumes: - - /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova_placement/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/nova_placement/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova_placement/etc/nova/:/etc/nova/:ro + - /var/lib/config-data/nova_placement/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/nova_placement/var/www/:/var/www/:ro + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/nova + state: directory + upgrade_tasks: + - name: Stop and disable nova_placement service (running under httpd) + tags: step2 + service: name=httpd state=stopped enabled=no diff --git a/docker/services/nova-scheduler.yaml b/docker/services/nova-scheduler.yaml index e3955a2b..6285e98e 100644 --- a/docker/services/nova-scheduler.yaml +++ b/docker/services/nova-scheduler.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Nova Scheduler service @@ -12,7 +12,7 @@ parameters: description: image default: 'centos-binary-nova-scheduler:latest' type: string - DockerNovaBaseImage: + DockerNovaConfigImage: description: image default: 'centos-binary-nova-base:latest' type: string @@ -30,15 +30,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + NovaSchedulerBase: type: ../../puppet/services/nova-scheduler.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -50,38 +63,47 @@ outputs: get_attr: [NovaSchedulerBase, role_data, step_config] service_config_settings: {get_attr: [NovaSchedulerBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &nova_scheduler_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaSchedulerImage} ] puppet_config: - config_volume: nova - puppet_tags: nova_config - step_config: *step_config - config_image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerNovaBaseImage} ] + config_volume: nova + puppet_tags: nova_config + step_config: *step_config + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaConfigImage} ] kolla_config: - /var/lib/kolla/config_files/nova_scheduler.json: - command: /usr/bin/nova-scheduler - config_files: - - dest: /etc/nova/nova.conf - owner: nova - perm: '0600' - source: /var/lib/kolla/config_files/src/etc/nova/nova.conf + /var/lib/kolla/config_files/nova_scheduler.json: + command: /usr/bin/nova-scheduler + permissions: + - path: /var/log/nova + owner: nova:nova + recurse: true docker_config: step_4: nova_scheduler: - image: *nova_scheduler_image + image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerNovaSchedulerImage} ] net: host privileged: false restart: always volumes: - - /run:/run - - /var/lib/kolla/config_files/nova_scheduler.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/nova/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/nova_scheduler.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro + - /run:/run + - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/nova + state: directory + upgrade_tasks: + - name: Stop and disable nova_scheduler service + tags: step2 + service: name=openstack-nova-scheduler state=stopped enabled=no diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml new file mode 100644 index 00000000..46cfa5ab --- /dev/null +++ b/docker/services/panko-api.yaml @@ -0,0 +1,145 @@ +heat_template_version: pike + +description: > + OpenStack Panko service configured with docker. + Note, this service is deprecated in Pike release and + will be disabled in future releases. + +parameters: + DockerNamespace: + description: namespace + default: 'tripleoupstream' + type: string + DockerPankoApiImage: + description: image + default: 'centos-binary-panko-api:latest' + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + PankoApiPuppetBase: + type: ../../puppet/services/panko-api.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Panko API role. + value: + service_name: {get_attr: [PankoApiPuppetBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [PankoApiPuppetBase, role_data, config_settings] + - apache::default_vhost: false + step_config: &step_config + get_attr: [PankoApiPuppetBase, role_data, step_config] + service_config_settings: {get_attr: [PankoApiPuppetBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS # + puppet_config: + config_volume: panko + puppet_tags: panko_api_paste_ini,panko_config + step_config: *step_config + config_image: &panko_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerPankoApiImage} ] + kolla_config: + /var/lib/kolla/config_files/panko-api.json: + command: /usr/sbin/httpd -DFOREGROUND + permissions: + - path: /var/log/panko + owner: panko:panko + recurse: true + docker_config: + step_3: + panko-init-log: + start_order: 0 + image: *panko_image + user: root + volumes: + - /var/log/containers/panko:/var/log/panko + command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R panko:panko /var/log/panko'] + panko_db_sync: + start_order: 1 + image: *panko_image + net: host + detach: false + privileged: false + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/config-data/panko/etc/panko:/etc/panko:ro + - /var/log/containers/panko:/var/log/panko + command: /usr/bin/panko-dbsync + step_4: + panko_api: + start_order: 2 + image: *panko_image + net: host + privileged: false + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/panko-api.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/panko/etc/panko/:/etc/panko/:ro + - /var/lib/config-data/panko/etc/httpd/:/etc/httpd/:ro + - /var/lib/config-data/panko/var/www/:/var/www/:ro + - /var/log/containers/panko:/var/log/panko + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/panko + state: directory + metadata_settings: + get_attr: [PankoApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index aa604439..e2f8228e 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Rabbitmq service @@ -26,6 +26,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json RabbitCookie: type: string default: '' @@ -33,69 +41,77 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml + RabbitmqBase: type: ../../puppet/services/rabbitmq.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Rabbitmq API role. value: service_name: {get_attr: [RabbitmqBase, role_data, service_name]} - config_settings: {get_attr: [RabbitmqBase, role_data, config_settings]} + # RabbitMQ plugins initialization occurs on every node + config_settings: + map_merge: + - {get_attr: [RabbitmqBase, role_data, config_settings]} + - rabbitmq::admin_enable: false step_config: &step_config - get_attr: [RabbitmqBase, role_data, step_config] + list_join: + - "\n" + - - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }" + - get_attr: [RabbitmqBase, role_data, step_config] service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &rabbitmq_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerRabbitmqImage} ] puppet_config: config_volume: rabbitmq - puppet_tags: file step_config: *step_config - config_image: *rabbitmq_image + config_image: &rabbitmq_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerRabbitmqImage} ] kolla_config: /var/lib/kolla/config_files/rabbitmq.json: command: /usr/lib/rabbitmq/bin/rabbitmq-server - config_files: - - dest: /etc/rabbitmq/rabbitmq.config - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmq.config - - dest: /etc/rabbitmq/enabled_plugins - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/enabled_plugins - - dest: /etc/rabbitmq/rabbitmq-env.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmq-env.conf - - dest: /etc/rabbitmq/rabbitmqadmin.conf - owner: root - perm: '0644' - source: /var/lib/kolla/config_files/src/etc/rabbitmq/rabbitmqadmin.conf + permissions: + - path: /var/lib/rabbitmq + owner: rabbitmq:rabbitmq + recurse: true docker_config: + # Kolla_bootstrap runs before permissions set by kolla_config step_1: - rabbitmq_bootstrap: + rabbitmq_init_logs: start_order: 0 image: *rabbitmq_image + privileged: false + user: root + volumes: + - /var/log/containers/rabbitmq:/var/log/rabbitmq + command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq'] + rabbitmq_bootstrap: + start_order: 1 + image: *rabbitmq_image net: host privileged: false volumes: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - rabbitmq:/var/lib/rabbitmq/ + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro + - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True - - + - list_join: - '=' - - 'RABBITMQ_CLUSTER_COOKIE' @@ -107,16 +123,40 @@ outputs: - {get_param: RabbitCookie} - {get_param: [DefaultPasswords, rabbit_cookie]} rabbitmq: - start_order: 1 + start_order: 2 image: *rabbitmq_image net: host privileged: false restart: always volumes: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - rabbitmq:/var/lib/rabbitmq/ + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro + - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + docker_puppet_tasks: + # RabbitMQ users and policies initialization occurs only on single node + step_1: + config_volume: 'rabbit_init_tasks' + puppet_tags: 'rabbitmq_policy,rabbitmq_user' + step_config: 'include ::tripleo::profile::base::rabbitmq' + config_image: *rabbitmq_image + volumes: + - /var/lib/config-data/rabbitmq/etc/:/etc/ + - /var/lib/rabbitmq:/var/lib/rabbitmq:ro + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/rabbitmq + - /var/lib/rabbitmq + upgrade_tasks: + - name: Stop and disable rabbitmq service + tags: step2 + service: name=rabbitmq-server state=stopped enabled=no diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 125c4468..2ad3b63d 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Utility stack to convert an array of services into a set of combined @@ -26,6 +26,14 @@ parameters: description: Mapping of service -> default password. Used to help pass top level passwords managed by Heat into services. type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: @@ -36,6 +44,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} ServiceChain: type: OS::Heat::ResourceChain @@ -46,6 +56,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -67,7 +79,6 @@ outputs: {get_attr: [PuppetServices, role_data, global_config_settings]} step_config: {get_attr: [ServiceChain, role_data, step_config]} - docker_image: {get_attr: [ServiceChain, role_data, docker_image]} puppet_config: {get_attr: [ServiceChain, role_data, puppet_config]} kolla_config: map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} @@ -75,3 +86,20 @@ outputs: {get_attr: [ServiceChain, role_data, docker_config]} docker_puppet_tasks: {get_attr: [ServiceChain, role_data, docker_puppet_tasks]} + host_prep_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks + expression: $.data.where($ != null).select($.get('host_prep_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + upgrade_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + upgrade_batch_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + service_metadata_settings: + get_attr: [PuppetServices, role_data, service_metadata_settings] diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index cdfefe2f..60972f91 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized swift proxy service @@ -26,15 +26,35 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ./containers-common.yaml + SwiftProxyBase: type: ../../puppet/services/swift-proxy.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -46,34 +66,72 @@ outputs: get_attr: [SwiftProxyBase, role_data, step_config] service_config_settings: {get_attr: [SwiftProxyBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &swift_proxy_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: swift puppet_tags: swift_proxy_config step_config: *step_config - config_image: *swift_proxy_image + config_image: &swift_proxy_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: /var/lib/kolla/config_files/swift_proxy.json: command: /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf + permissions: + - path: /var/log/swift + owner: swift:swift + recurse: true + /var/lib/kolla/config_files/swift_proxy_tls_proxy.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: step_4: - swift_proxy: - image: *swift_proxy_image - net: host - user: swift - restart: always - # I'm mounting /etc/swift as rw. Are the rings written to at all during runtime? - volumes: - - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - swift_proxy: + image: *swift_proxy_image + net: host + user: swift + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro + # FIXME I'm mounting /etc/swift as rw. Are the rings written to + # at all during runtime? + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - swift_proxy_tls_proxy: + image: *swift_proxy_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/httpd/:/etc/httpd/:ro + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/swift + - /srv/node + upgrade_tasks: + - name: Stop and disable swift_proxy service + tags: step2 + service: name=openstack-swift-proxy state=stopped enabled=no diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index 027a6956..bfd445d0 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack Swift Ringbuilder @@ -21,6 +21,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -59,6 +67,8 @@ resources: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -70,14 +80,13 @@ outputs: get_attr: [SwiftRingbuilderBase, role_data, step_config] service_config_settings: {get_attr: [SwiftRingbuilderBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &docker_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: 'swift' puppet_tags: exec,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance step_config: *step_config - config_image: *docker_image + config_image: + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: {} docker_config: {} diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index ab9946f3..017fb123 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Swift Storage services. @@ -32,6 +32,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -41,12 +49,17 @@ parameters: resources: + ContainersCommon: + type: ./containers-common.yaml + SwiftStorageBase: type: ../../puppet/services/swift-storage.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -58,15 +71,14 @@ outputs: get_attr: [SwiftStorageBase, role_data, step_config] service_config_settings: {get_attr: [SwiftStorageBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &swift_proxy_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] puppet_config: config_volume: swift puppet_tags: swift_config,swift_container_config,swift_container_sync_realms_config,swift_account_config,swift_object_config,swift_object_expirer_config step_config: *step_config - config_image: *swift_proxy_image + config_image: &swift_proxy_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] kolla_config: /var/lib/kolla/config_files/swift_account_auditor.json: command: /usr/bin/swift-account-auditor /etc/swift/account-server.conf @@ -94,96 +106,92 @@ outputs: command: /usr/bin/swift-object-updater /etc/swift/object-server.conf /var/lib/kolla/config_files/swift_object_server.json: command: /usr/bin/swift-object-server /etc/swift/object-server.conf + permissions: + - path: /var/log/swift + owner: swift:swift + recurse: true docker_config: step_3: # The puppet config sets this up but we don't have a way to mount the named # volume during the configuration stage. We just need to create this # directory and make sure it's owned by swift. swift_setup_srv: - image: + image: &swift_account_image list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] user: root - command: ['/bin/bash', '-c', 'mkdir /srv/node && chown swift:swift /srv/node'] + command: ['chown', '-R', 'swift:', '/srv/node'] volumes: - - swift-srv:/srv + - /srv/node:/srv/node step_4: swift_account_auditor: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] + image: *swift_account_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_account_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_account_auditor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: &kolla_env - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS swift_account_reaper: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] + image: *swift_account_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_account_reaper.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_account_reaper.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_account_replicator: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] + image: *swift_account_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_account_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_account_replicator.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_account_server: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ] + image: *swift_account_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_account_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_account_server.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_container_auditor: - image: + image: &swift_container_image list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerSwiftContainerImage} ] @@ -191,71 +199,66 @@ outputs: user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_container_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_container_auditor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_container_replicator: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftContainerImage} ] + image: *swift_container_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_container_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_container_replicator.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_container_updater: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftContainerImage} ] + image: *swift_container_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_container_updater.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_container_updater.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_container_server: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftContainerImage} ] + image: *swift_container_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_container_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_container_server.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_object_auditor: - image: + image: &swift_object_image list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerSwiftObjectImage} ] @@ -263,84 +266,102 @@ outputs: user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_object_auditor.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_object_auditor.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_object_expirer: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftProxyImage} ] + image: *swift_proxy_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_object_expirer.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_object_expirer.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_object_replicator: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftObjectImage} ] + image: *swift_object_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_object_replicator.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_object_replicator.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_object_updater: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftObjectImage} ] + image: *swift_object_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_object_updater.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_object_updater.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env swift_object_server: - image: - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerSwiftObjectImage} ] + image: *swift_object_image net: host user: swift restart: always volumes: - - /var/lib/kolla/config_files/swift_object_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/swift/:/var/lib/kolla/config_files/src:ro - - /var/lib/config-data/swift/etc/swift:/etc/swift:rw - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /run:/run - - swift-srv:/srv - - /dev:/dev + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/swift_object_server.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/swift/etc/swift:/etc/swift:rw + - /run:/run + - /srv/node:/srv/node + - /dev:/dev + - /var/log/containers/swift:/var/log/swift environment: *kolla_env + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/swift + - /srv/node + upgrade_tasks: + - name: Stop and disable swift storage services + tags: step2 + service: name={{ item }} state=stopped enabled=no + with_items: + - openstack-swift-account-auditor + - openstack-swift-account-reaper + - openstack-swift-account-replicator + - openstack-swift-account + - openstack-swift-container-auditor + - openstack-swift-container-replicator + - openstack-swift-container-updater + - openstack-swift-container + - openstack-swift-object-auditor + - openstack-swift-object-replicator + - openstack-swift-object-updater + - openstack-swift-object diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 1704278e..594df693 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > OpenStack containerized Zaqar services @@ -26,15 +26,28 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json resources: + ContainersCommon: + type: ./containers-common.yaml + ZaqarBase: type: ../../puppet/services/zaqar.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -46,34 +59,23 @@ outputs: get_attr: [ZaqarBase, role_data, step_config] service_config_settings: {get_attr: [ZaqarBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS - docker_image: &zaqar_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] puppet_config: config_volume: zaqar puppet_tags: zaqar_config step_config: *step_config - config_image: *zaqar_image + config_image: &zaqar_image + list_join: + - '/' + - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] kolla_config: /var/lib/kolla/config_files/zaqar.json: - command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf - config_files: - - dest: /etc/zaqar/zaqar.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/zaqar.conf + command: /usr/sbin/httpd -DFOREGROUND /var/lib/kolla/config_files/zaqar_websocket.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf - config_files: - - dest: /etc/zaqar/zaqar.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/zaqar.conf - - dest: /etc/zaqar/1.conf - owner: zaqar - perm: '0640' - source: /var/lib/kolla/config_files/src/etc/zaqar/1.conf + permissions: + - path: /var/log/zaqar + owner: zaqar:zaqar + recurse: true docker_config: step_4: zaqar: @@ -81,11 +83,18 @@ outputs: net: host privileged: false restart: always + # NOTE(mandre) kolla image changes the user to 'zaqar', we need it + # to be root to run httpd + user: root volumes: - - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/zaqar/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro + - /var/lib/config-data/zaqar/var/www/:/var/www/:ro + - /var/lib/config-data/zaqar/etc/httpd/:/etc/httpd/:ro + - /var/log/containers/zaqar:/var/log/zaqar environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS zaqar_websocket: @@ -94,9 +103,22 @@ outputs: privileged: false restart: always volumes: - - /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/zaqar/:/var/lib/kolla/config_files/src:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro + - /var/lib/config-data/zaqar/var/www/:/var/www/:ro + - /var/lib/config-data/zaqar/etc/httpd/:/etc/httpd/:ro + - /var/log/containers/zaqar:/var/log/zaqar environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/zaqar + state: directory + upgrade_tasks: + - name: Stop and disable zaqar service + tags: step2 + service: name=httpd state=stopped enabled=no |