summaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
Diffstat (limited to 'docker')
-rwxr-xr-xdocker/firstboot/setup_docker_host.sh11
-rw-r--r--docker/firstboot/setup_docker_host.yaml19
-rw-r--r--docker/services/ceph-ansible/ceph-base.yaml19
-rw-r--r--docker/services/ceph-ansible/ceph-mds.yaml83
-rw-r--r--docker/services/database/mysql.yaml69
-rw-r--r--docker/services/glance-api.yaml11
-rw-r--r--docker/services/haproxy.yaml65
-rw-r--r--docker/services/nova-libvirt.yaml13
-rw-r--r--docker/services/nova-metadata.yaml66
-rw-r--r--docker/services/pacemaker/cinder-backup.yaml35
-rw-r--r--docker/services/pacemaker/cinder-volume.yaml35
-rw-r--r--docker/services/pacemaker/database/mysql.yaml36
-rw-r--r--docker/services/pacemaker/database/redis.yaml31
-rw-r--r--docker/services/pacemaker/haproxy.yaml90
-rw-r--r--docker/services/pacemaker/manila-share.yaml171
-rw-r--r--docker/services/pacemaker/rabbitmq.yaml49
16 files changed, 731 insertions, 72 deletions
diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh
deleted file mode 100755
index af213bbd..00000000
--- a/docker/firstboot/setup_docker_host.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-set -eux
-# This file contains setup steps that can't be or have not yet been moved to
-# puppet
-
-# Disable libvirtd since it conflicts with nova_libvirt container
-/usr/bin/systemctl disable libvirtd.service
-/usr/bin/systemctl stop libvirtd.service
-# Disable virtlogd since it conflicts with nova_virtlogd container
-/usr/bin/systemctl disable virtlogd.service
-/usr/bin/systemctl stop virtlogd.service
diff --git a/docker/firstboot/setup_docker_host.yaml b/docker/firstboot/setup_docker_host.yaml
deleted file mode 100644
index ddfa8802..00000000
--- a/docker/firstboot/setup_docker_host.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-heat_template_version: pike
-
-resources:
-
- userdata:
- type: OS::Heat::MultipartMime
- properties:
- parts:
- - config: {get_resource: setup_docker_host}
-
- setup_docker_host:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- config: {get_file: ./setup_docker_host.sh}
-
-outputs:
- OS::stack_id:
- value: {get_resource: userdata}
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index c38c4d1d..72ab53db 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -92,6 +92,14 @@ parameters:
description: default minimum replication for RBD copies
type: number
default: 3
+ ManilaCephFSNativeCephFSAuthId:
+ default: manila
+ type: string
+ CephManilaClientKey:
+ default: ''
+ description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
+ type: string
+ hidden: true
CephIPv6:
default: False
type: boolean
@@ -155,6 +163,7 @@ outputs:
ceph_ansible_playbook: {get_param: CephAnsiblePlaybook}
config_settings:
ceph_common_ansible_vars:
+ ireallymeanit: 'yes'
fsid: { get_param: CephClusterFSID }
docker: true
ceph_docker_registry: {get_attr: [DockerImageUrlParts, value, host]}
@@ -207,6 +216,16 @@ outputs:
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
mode: "0644"
+ - name:
+ list_join:
+ - '.'
+ - - client
+ - {get_param: ManilaCephFSNativeCephFSAuthId}
+ key: {get_param: CephManilaClientKey}
+ mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create"
+ mds_cap: "allow *"
+ osd_cap: "allow rw"
+ mode: "0644"
keys: *openstack_keys
pools: []
ceph_conf_overrides:
diff --git a/docker/services/ceph-ansible/ceph-mds.yaml b/docker/services/ceph-ansible/ceph-mds.yaml
new file mode 100644
index 00000000..4ef3a669
--- /dev/null
+++ b/docker/services/ceph-ansible/ceph-mds.yaml
@@ -0,0 +1,83 @@
+heat_template_version: pike
+
+description: >
+ Ceph Metadata service.
+
+parameters:
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ CephMdsKey:
+ description: The cephx key for the MDS service. Can be created
+ with ceph-authtool --gen-print-key.
+ type: string
+ hidden: true
+ ManilaCephFSDataPoolName:
+ default: manila_data
+ type: string
+ ManilaCephFSMetadataPoolName:
+ default: manila_metadata
+ type: string
+ ManilaCephFSNativeShareBackendName:
+ default: cephfs
+ type: string
+
+resources:
+ CephBase:
+ type: ./ceph-base.yaml
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Ceph Metadata service.
+ value:
+ service_name: ceph_mds
+ upgrade_tasks: []
+ step_config: ''
+ puppet_config:
+ config_image: ''
+ config_volume: ''
+ step_config: ''
+ docker_config: {}
+ service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]}
+ config_settings:
+ map_merge:
+ - tripleo.ceph_mds.firewall_rules:
+ '112 ceph_mds':
+ dport:
+ - '6800-7300'
+ - ceph_mds_ansible_vars:
+ map_merge:
+ - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]}
+ - cephfs_data: {get_param: ManilaCephFSDataPoolName}
+ cephfs_metadata: {get_param: ManilaCephFSMetadataPoolName}
+ cephfs: {get_param: ManilaCephFSNativeShareBackendName}
diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml
index 54331415..402dc351 100644
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@@ -40,6 +40,18 @@ parameters:
type: string
hidden: true
default: ''
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -86,10 +98,21 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
+ - path: /etc/pki/tls/certs/mysql.crt
+ owner: mysql:mysql
+ optional: true
+ - path: /etc/pki/tls/private/mysql.key
+ owner: mysql:mysql
+ optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
@@ -108,12 +131,25 @@ outputs:
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
volumes: &mysql_volumes
- - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /etc/hosts:/etc/hosts:ro
- - /var/lib/mysql:/var/lib/mysql
- - /var/log/containers/mysql:/var/log/mariadb
+ list_concat:
+ -
+ - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
+ - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /etc/hosts:/etc/hosts:ro
+ - /var/lib/mysql:/var/lib/mysql
+ - /var/log/containers/mysql:/var/log/mariadb
+ - if:
+ - internal_tls_enabled
+ -
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+ - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+ - null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- KOLLA_BOOTSTRAP=True
@@ -146,9 +182,24 @@ outputs:
step_config: 'include ::tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
- - /var/lib/mysql:/var/lib/mysql/:ro
- - /var/log/containers/mysql:/var/log/mariadb
- - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+ list_concat:
+ -
+ - /var/lib/mysql:/var/lib/mysql/:ro
+ - /var/log/containers/mysql:/var/log/mariadb
+ - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+ - if:
+ - internal_tls_enabled
+ -
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+ - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+ - null
+ metadata_settings:
+ get_attr: [MysqlPuppetBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml
index 044eb283..df226b15 100644
--- a/docker/services/glance-api.yaml
+++ b/docker/services/glance-api.yaml
@@ -39,10 +39,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ GlanceNfsEnabled:
+ default: false
+ description: >
+ When using GlanceBackend 'file', mount NFS share for image storage.
+ type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+ nfs_backend_enabled: {equals: [{get_param: GlanceNfsEnabled}, true]}
resources:
@@ -128,6 +134,11 @@ outputs:
- /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/glance:/var/log/glance
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
+ -
+ if:
+ - nfs_backend_enabled
+ - /var/lib/glance:/var/lib/glance
+ - ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 2f0584ea..f0e2f71d 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -60,6 +60,18 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -86,6 +98,9 @@ outputs:
- get_attr: [HAProxyBase, role_data, config_settings]
- tripleo::haproxy::haproxy_daemon: false
tripleo::haproxy::haproxy_service_manage: false
+ # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
+ # when this is updated
+ tripleo::haproxy::crl_file: null
step_config: &step_config
get_attr: [HAProxyBase, role_data, step_config]
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@@ -96,12 +111,23 @@ outputs:
step_config:
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
config_image: {get_param: DockerHAProxyConfigImage}
- volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ volumes:
+ list_concat:
+ - - list_join:
+ - ':'
+ - - {get_param: DeployedSSLCertificatePath}
+ - {get_param: DeployedSSLCertificatePath}
+ - 'ro'
+ - if:
+ - internal_tls_enabled
+ - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
+ - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - null
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -110,6 +136,16 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ optional: true
+ permissions:
+ - path: /etc/pki/tls/certs/haproxy
+ owner: haproxy:haproxy
+ recurse: true
+ optional: true
docker_config:
step_1:
haproxy_firewall:
@@ -133,7 +169,6 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - *deployed_cert_mount
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
@@ -154,10 +189,24 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - *deployed_cert_mount
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+ - list_join:
+ - ':'
+ - - {get_param: DeployedSSLCertificatePath}
+ - {get_param: DeployedSSLCertificatePath}
+ - 'ro'
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
+ - ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 7637e6e9..62c25bb2 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -243,6 +243,19 @@ outputs:
file:
path: /etc/ceph
state: directory
+ - name: check if libvirt is installed
+ command: /usr/bin/rpm -q libvirt-daemon
+ failed_when: false
+ register: libvirt_installed
+ - name: make sure libvirt services are disabled
+ service:
+ name: "{{ item }}"
+ state: stopped
+ enabled: no
+ with_items:
+ - libvirtd.service
+ - virtlogd.socket
+ when: libvirt_installed.rc == 0
upgrade_tasks:
- name: Stop and disable libvirtd service
tags: step2
diff --git a/docker/services/nova-metadata.yaml b/docker/services/nova-metadata.yaml
index 0a8a74cd..53ae7910 100644
--- a/docker/services/nova-metadata.yaml
+++ b/docker/services/nova-metadata.yaml
@@ -4,6 +4,12 @@ description: >
OpenStack containerized Nova Metadata service
parameters:
+ DockerNovaMetadataImage:
+ description: image
+ type: string
+ DockerNovaConfigImage:
+ description: The container image to use for the nova config_volume
+ type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@@ -33,6 +39,9 @@ parameters:
resources:
+ ContainersCommon:
+ type: ./containers-common.yaml
+
NovaMetadataBase:
type: ../../puppet/services/nova-metadata.yaml
properties:
@@ -56,9 +65,56 @@ outputs:
service_config_settings: {get_attr: [NovaMetadataBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
- config_volume: ''
- puppet_tags: ''
+ config_volume: nova
+ puppet_tags: nova_config
step_config: *step_config
- config_image: ''
- kolla_config: {}
- docker_config: {}
+ config_image: {get_param: DockerNovaConfigImage}
+ kolla_config:
+ /var/lib/kolla/config_files/nova_metadata.json:
+ command: /usr/bin/nova-api-metadata
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ permissions:
+ - path: /var/log/nova
+ owner: nova:nova
+ recurse: true
+ docker_config:
+ step_2:
+ nova_init_logs:
+ image: &nova_metadata_image {get_param: DockerNovaMetadataImage}
+ privileged: false
+ user: root
+ volumes:
+ - /var/log/containers/nova:/var/log/nova
+ command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova']
+ step_4:
+ nova_metadata:
+ start_order: 2
+ image: *nova_metadata_image
+ net: host
+ user: nova
+ privileged: true
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
+ - /var/log/containers/nova:/var/log/nova
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ metadata_settings:
+ get_attr: [NovaMetadataBase, role_data, metadata_settings]
+ host_prep_tasks:
+ - name: create persistent logs directory
+ file:
+ path: /var/log/containers/nova
+ state: directory
+ upgrade_tasks:
+ - name: Stop and disable nova_api service
+ tags: step2
+ service: name=openstack-nova-api state=stopped enabled=no
diff --git a/docker/services/pacemaker/cinder-backup.yaml b/docker/services/pacemaker/cinder-backup.yaml
index c6a80efa..c2117c04 100644
--- a/docker/services/pacemaker/cinder-backup.yaml
+++ b/docker/services/pacemaker/cinder-backup.yaml
@@ -76,7 +76,13 @@ outputs:
config_settings:
map_merge:
- get_attr: [CinderBackupBase, role_data, config_settings]
- - tripleo::profile::pacemaker::cinder::backup_bundle::cinder_backup_docker_image: &cinder_backup_image {get_param: DockerCinderBackupImage}
+ - tripleo::profile::pacemaker::cinder::backup_bundle::cinder_backup_docker_image: &cinder_backup_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerCinderBackupImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
cinder::backup::manage_service: false
cinder::backup::enabled: false
step_config: ""
@@ -102,10 +108,33 @@ outputs:
owner: cinder:cinder
recurse: true
docker_config:
+ step_1:
+ cinder_backup_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'CINDERBACKUP_IMAGE' 'CINDERBACKUP_IMAGE_PCMKLATEST'"
+ params:
+ CINDERBACKUP_IMAGE: {get_param: DockerCinderBackupImage}
+ CINDERBACKUP_IMAGE_PCMKLATEST: *cinder_backup_image_pcmklatest
+ image: {get_param: DockerCinderBackupImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
step_3:
cinder_backup_init_logs:
start_order: 0
- image: *cinder_backup_image
+ image: {get_param: DockerCinderBackupImage}
privileged: false
user: root
volumes:
@@ -129,7 +158,7 @@ outputs:
params:
TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::constraint::location'
CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::cinder::backup_bundle'
- image: *cinder_backup_image
+ image: {get_param: DockerCinderBackupImage}
volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
diff --git a/docker/services/pacemaker/cinder-volume.yaml b/docker/services/pacemaker/cinder-volume.yaml
index 3c1b7a74..a4f69517 100644
--- a/docker/services/pacemaker/cinder-volume.yaml
+++ b/docker/services/pacemaker/cinder-volume.yaml
@@ -69,7 +69,13 @@ outputs:
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- - tripleo::profile::pacemaker::cinder::volume_bundle::cinder_volume_docker_image: &cinder_volume_image {get_param: DockerCinderVolumeImage}
+ - tripleo::profile::pacemaker::cinder::volume_bundle::cinder_volume_docker_image: &cinder_volume_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerCinderVolumeImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
cinder::volume::manage_service: false
cinder::volume::enabled: false
cinder::host: hostgroup
@@ -93,10 +99,33 @@ outputs:
owner: cinder:cinder
recurse: true
docker_config:
+ step_1:
+ cinder_volume_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'CINDERVOLUME_IMAGE' 'CINDERVOLUME_IMAGE_PCMKLATEST'"
+ params:
+ CINDERVOLUME_IMAGE: {get_param: DockerCinderVolumeImage}
+ CINDERVOLUME_IMAGE_PCMKLATEST: *cinder_volume_image_pcmklatest
+ image: {get_param: DockerCinderVolumeImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
step_3:
cinder_volume_init_logs:
start_order: 0
- image: *cinder_volume_image
+ image: {get_param: DockerCinderVolumeImage}
privileged: false
user: root
volumes:
@@ -120,7 +149,7 @@ outputs:
params:
TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::constraint::location'
CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::cinder::volume_bundle'
- image: *cinder_volume_image
+ image: {get_param: DockerCinderVolumeImage}
volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index 8ba7d723..3de1696d 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -79,7 +79,13 @@ outputs:
config_settings:
map_merge:
- {get_attr: [MysqlPuppetBase, role_data, config_settings]}
- - tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image: &mysql_image {get_param: DockerMysqlImage}
+ - tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image: &mysql_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerMysqlImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
tripleo.mysql.firewall_rules:
'104 mysql galera-bundle':
@@ -141,7 +147,7 @@ outputs:
mysql_data_ownership:
start_order: 0
detach: false
- image: *mysql_image
+ image: {get_param: DockerMysqlImage}
net: host
user: root
# Kolla does only non-recursive chown
@@ -151,7 +157,7 @@ outputs:
mysql_bootstrap:
start_order: 1
detach: false
- image: *mysql_image
+ image: {get_param: DockerMysqlImage}
net: host
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
@@ -196,6 +202,28 @@ outputs:
passwords:
- {get_param: MysqlRootPassword}
- {get_param: [DefaultPasswords, mysql_root_password]}
+ mysql_image_tag:
+ start_order: 2
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'MYSQL_IMAGE' 'MYSQL_IMAGE_PCMKLATEST'"
+ params:
+ MYSQL_IMAGE: {get_param: DockerMysqlImage}
+ MYSQL_IMAGE_PCMKLATEST: *mysql_image_pcmklatest
+ image: {get_param: DockerMysqlImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
step_2:
mysql_init_bundle:
start_order: 1
@@ -214,7 +242,7 @@ outputs:
params:
TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation,galera_ready,mysql_database,mysql_grant,mysql_user'
CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::mysql_bundle'
- image: *mysql_image
+ image: {get_param: DockerMysqlImage}
volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml
index 75b6d650..0b8aa046 100644
--- a/docker/services/pacemaker/database/redis.yaml
+++ b/docker/services/pacemaker/database/redis.yaml
@@ -60,7 +60,13 @@ outputs:
- redis::service_manage: false
redis::notify_service: false
redis::managed_by_cluster_manager: true
- tripleo::profile::pacemaker::database::redis_bundle::redis_docker_image: &redis_image {get_param: DockerRedisImage}
+ tripleo::profile::pacemaker::database::redis_bundle::redis_docker_image: &redis_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerRedisImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
tripleo.redis.firewall_rules:
'108 redis-bundle':
@@ -104,6 +110,29 @@ outputs:
owner: redis:redis
recurse: true
docker_config:
+ step_1:
+ redis_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'REDIS_IMAGE' 'REDIS_IMAGE_PCMKLATEST'"
+ params:
+ REDIS_IMAGE: {get_param: DockerRedisImage}
+ REDIS_IMAGE_PCMKLATEST: *redis_image_pcmklatest
+ image: {get_param: DockerRedisImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
step_2:
redis_init_bundle:
start_order: 2
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 24155912..2e5c7424 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -41,6 +41,22 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+ InternalTLSCRLPEMFile:
+ default: '/etc/pki/CA/crl/overcloud-crl.pem'
+ type: string
+ description: Specifies the default CRL PEM file to use for revocation if
+ TLS is used for services in the internal network.
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -65,6 +81,24 @@ outputs:
- tripleo::haproxy::haproxy_daemon: false
haproxy_docker: true
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
+ # the list of directories that contain the certs to bind mount in the countainer
+ # bind-mounting the directories rather than all the cert, key and pem files ensures
+ # that docker won't create directories on the host when then pem files do not exist
+ tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
+ - get_param: InternalTLSCAFile
+ - get_param: HAProxyInternalTLSKeysDirectory
+ - get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
+ tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
+ # disable the use CRL file until we can restart the container when the file expires
+ tripleo::haproxy::crl_file: null
+ tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerHAProxyImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
step_config: ""
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
@@ -80,11 +114,9 @@ outputs:
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
config_image: {get_param: DockerHAProxyConfigImage}
volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ yaql:
+ expression: $.data.select($+":"+$+":ro")
+ data: *tls_mapping
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -94,7 +126,53 @@ outputs:
merge: true
preserve_properties: true
optional: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
docker_config:
+ step_1:
+ haproxy_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'HAPROXY_IMAGE' 'HAPROXY_IMAGE_PCMKLATEST'"
+ params:
+ HAPROXY_IMAGE: {get_param: DockerHAProxyImage}
+ HAPROXY_IMAGE_PCMKLATEST: *haproxy_image_pcmklatest
+ image: {get_param: DockerHAProxyImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
+ image: {get_param: DockerHAProxyImage}
step_2:
haproxy_init_bundle:
start_order: 3
@@ -118,7 +196,7 @@ outputs:
- ';'
- - 'include ::tripleo::profile::base::pacemaker'
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
- image: *haproxy_image
+ image: {get_param: DockerHAProxyImage}
volumes:
list_concat:
- *deployed_cert_mount
diff --git a/docker/services/pacemaker/manila-share.yaml b/docker/services/pacemaker/manila-share.yaml
new file mode 100644
index 00000000..c88737aa
--- /dev/null
+++ b/docker/services/pacemaker/manila-share.yaml
@@ -0,0 +1,171 @@
+heat_template_version: pike
+
+description: >
+ OpenStack containerized Manila Share service
+
+parameters:
+ DockerManilaShareImage:
+ description: image
+ type: string
+ DockerManilaConfigImage:
+ description: image
+ type: string
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+
+resources:
+
+ MySQLClient:
+ type: ../../../puppet/services/database/mysql-client.yaml
+
+ ManilaBase:
+ type: ../../../puppet/services/pacemaker/manila-share.yaml
+ properties:
+ EndpointMap: {get_param: EndpointMap}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Manila Share role.
+ value:
+ service_name: {get_attr: [ManilaBase, role_data, service_name]}
+ config_settings:
+ map_merge:
+ - get_attr: [ManilaBase, role_data, config_settings]
+ - tripleo::profile::pacemaker::manila::share_bundle::manila_share_docker_image: &manila_share_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerManilaShareImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
+ manila::share::manage_service: false
+ manila::share::enabled: false
+ manila::host: hostgroup
+ step_config: ""
+ service_config_settings: {get_attr: [ManilaBase, role_data, service_config_settings]}
+ # BEGIN DOCKER SETTINGS
+ puppet_config:
+ config_volume: manila
+ puppet_tags: manila_config,file,concat,file_line
+ step_config:
+ list_join:
+ - "\n"
+ - - {get_attr: [ManilaBase, role_data, step_config]}
+ - - {get_attr: [MySQLClient, role_data, step_config]}
+ config_image: {get_param: DockerManilaConfigImage}
+ kolla_config:
+ /var/lib/kolla/config_files/manila_share.json:
+ command: /usr/bin/manila-share --config-file /usr/share/manila/manila-dist.conf --config-file /etc/manila/manila.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ # NOTE(gfidente): ceph ansible generated
+ - source: "/var/lib/kolla/config_files/src-ceph/"
+ dest: "/etc/ceph"
+ merge: true
+ preserve_properties: true
+ permissions:
+ - path: /var/log/manila
+ owner: manila:manila
+ recurse: true
+ docker_config:
+ step_1:
+ manila_share_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'MANILASHARE_IMAGE' 'MANILASHARE_IMAGE_PCMKLATEST'"
+ params:
+ MANILASHARE_IMAGE: {get_param: DockerManilaShareImage}
+ MANILASHARE_IMAGE_PCMKLATEST: *manila_share_image_pcmklatest
+ image: {get_param: DockerManilaShareImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
+ step_3:
+ manila_share_init_logs:
+ start_order: 0
+ image: {get_param: DockerManilaShareImage}
+ privileged: false
+ user: root
+ volumes:
+ - /var/log/containers/manila:/var/log/manila
+ command: ['/bin/bash', '-c', 'chown -R manila:manila /var/log/manila']
+ step_5:
+ manila_share_init_bundle:
+ start_order: 0
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ list_join:
+ - '; '
+ - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 5}' > /etc/puppet/hieradata/docker.json"
+ - "FACTER_uuid=docker puppet apply --tags file_line,concat,augeas,TAGS --debug -v -e 'CONFIG'"
+ params:
+ TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::constraint::location'
+ CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::manila::share_bundle'
+ image: {get_param: DockerManilaShareImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /etc/puppet:/tmp/puppet-etc:ro
+ - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+ - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
+ - /dev/shm:/dev/shm:rw
+ host_prep_tasks:
+ - name: create persistent directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - /var/log/containers/manila
+ - /var/lib/manila
+ upgrade_tasks:
+ - name: Stop and disable manila_share service
+ tags: step2
+ service: name=openstack-manila-share state=stopped enabled=no
diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml
index de53ceee..ba1abaf9 100644
--- a/docker/services/pacemaker/rabbitmq.yaml
+++ b/docker/services/pacemaker/rabbitmq.yaml
@@ -62,7 +62,13 @@ outputs:
map_merge:
- {get_attr: [RabbitmqBase, role_data, config_settings]}
- rabbitmq::service_manage: false
- tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image: &rabbitmq_image {get_param: DockerRabbitmqImage}
+ tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image: &rabbitmq_image_pcmklatest
+ list_join:
+ - ':'
+ - - yaql:
+ data: {get_param: DockerRabbitmqImage}
+ expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
+ - 'pcmklatest'
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
tripleo.rabbitmq.firewall_rules:
'109 rabbitmq-bundle':
@@ -92,6 +98,11 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
permissions:
- path: /var/lib/rabbitmq
owner: rabbitmq:rabbitmq
@@ -99,13 +110,21 @@ outputs:
- path: /var/log/rabbitmq
owner: rabbitmq:rabbitmq
recurse: true
+ - path: /etc/pki/tls/certs/rabbitmq.crt
+ owner: rabbitmq:rabbitmq
+ perm: '0600'
+ optional: true
+ - path: /etc/pki/tls/private/rabbitmq.key
+ owner: rabbitmq:rabbitmq
+ perm: '0600'
+ optional: true
# When using pacemaker we don't launch the container, instead that is done by pacemaker
# itself.
docker_config:
step_1:
rabbitmq_bootstrap:
start_order: 0
- image: *rabbitmq_image
+ image: {get_param: DockerRabbitmqImage}
net: host
privileged: false
volumes:
@@ -128,6 +147,28 @@ outputs:
passwords:
- {get_param: RabbitCookie}
- {get_param: [DefaultPasswords, rabbit_cookie]}
+ rabbitmq_image_tag:
+ start_order: 1
+ detach: false
+ net: host
+ user: root
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ "/usr/bin/docker tag 'RABBITMQ_IMAGE' 'RABBITMQ_IMAGE_PCMKLATEST'"
+ params:
+ RABBITMQ_IMAGE: {get_param: DockerRabbitmqImage}
+ RABBITMQ_IMAGE_PCMKLATEST: *rabbitmq_image_pcmklatest
+ image: {get_param: DockerRabbitmqImage}
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /dev/shm:/dev/shm:rw
+ - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
+ - /usr/bin:/usr/bin:ro
+ - /var/run/docker.sock:/var/run/docker.sock:rw
step_2:
rabbitmq_init_bundle:
start_order: 0
@@ -146,7 +187,7 @@ outputs:
params:
TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::rabbitmq_bundle'
- image: *rabbitmq_image
+ image: {get_param: DockerRabbitmqImage}
volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
@@ -164,6 +205,8 @@ outputs:
echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf
echo 'export ERL_EPMD_PORT=4370' >> /etc/rabbitmq/rabbitmq-env.conf
for pid in $(pgrep epmd); do if [ "$(lsns -o NS -p $pid)" == "$(lsns -o NS -p 1)" ]; then kill $pid; break; fi; done
+ metadata_settings:
+ get_attr: [RabbitmqBase, role_data, metadata_settings]
upgrade_tasks:
- name: get bootstrap nodeid
tags: common