diff options
Diffstat (limited to 'docker')
-rwxr-xr-x | docker/docker-puppet.py | 17 | ||||
-rw-r--r-- | docker/services/database/mongodb.yaml | 13 | ||||
-rw-r--r-- | docker/services/database/mysql.yaml | 18 | ||||
-rw-r--r-- | docker/services/keystone.yaml | 17 | ||||
-rw-r--r-- | docker/services/nova-api.yaml | 5 | ||||
-rw-r--r-- | docker/services/zaqar.yaml | 9 |
6 files changed, 53 insertions, 26 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index eb647737..5c68b08d 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -202,6 +202,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', '--volume', 'tripleo_logs:/var/log/tripleo/', + # OpenSSL trusted CA injection + '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', + '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', + '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', + # script injection '--volume', '%s:%s:rw' % (sh_script, sh_script) ] for volume in volumes: @@ -259,4 +265,13 @@ for p in process_map: # Fire off processes to perform each configuration. Defaults # to the number of CPUs on the system. p = multiprocessing.Pool(process_count) -p.map(mp_puppet_config, process_map) +returncodes = list(p.map(mp_puppet_config, process_map)) +config_volumes = [pm[0] for pm in process_map] +success = True +for returncode, config_volume in zip(returncodes, config_volumes): + if returncode != 0: + print('ERROR configuring %s' % config_volume) + success = False + +if not success: + sys.exit(1) diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 5756c322..7d2d1a15 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -62,18 +62,13 @@ outputs: kolla_config: /var/lib/kolla/config_files/mongodb.json: command: /usr/bin/mongod --unixSocketPrefix=/var/run/mongodb --config /etc/mongod.conf run + permissions: + - path: /var/lib/mongodb + owner: mongodb:mongodb + recurse: true docker_config: step_2: - mongodb_data_ownership: - start_order: 0 - image: *mongodb_image - net: host - user: root - command: ['chown', '-R', 'mongodb:', '/var/lib/mongodb'] - volumes: - - /var/lib/mongodb:/var/lib/mongodb mongodb: - start_order: 1 image: *mongodb_image net: host privileged: false diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 372f059c..cba2070d 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -71,20 +71,14 @@ outputs: kolla_config: /var/lib/kolla/config_files/mysql.json: command: /usr/bin/mysqld_safe + permissions: + - path: /var/lib/mysql + owner: mysql:mysql + recurse: true docker_config: step_2: - mysql_data_ownership: - start_order: 0 - detach: false - image: *mysql_image - net: host - user: root - # Kolla does only non-recursive chown - command: ['chown', '-R', 'mysql:', '/var/lib/mysql'] - volumes: - - /var/lib/mysql:/var/lib/mysql mysql_bootstrap: - start_order: 1 + start_order: 0 detach: false image: *mysql_image net: host @@ -113,7 +107,7 @@ outputs: - {get_param: MysqlRootPassword} - {get_param: [DefaultPasswords, mysql_root_password]} mysql: - start_order: 2 + start_order: 1 image: *mysql_image restart: always net: host diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 90ddeb9f..526a357b 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -36,6 +36,9 @@ parameters: default: 'fernet' constraints: - allowed_values: ['uuid', 'fernet'] + EnableInternalTLS: + type: boolean + default: false resources: @@ -46,6 +49,10 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + outputs: role_data: description: Role data for the Keystone API role. @@ -96,6 +103,16 @@ outputs: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - logs:/var/log + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 4cd48b75..97fafb09 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -50,7 +50,10 @@ outputs: - get_attr: [NovaApiBase, role_data, config_settings] - apache::default_vhost: false step_config: &step_config - get_attr: [NovaApiBase, role_data, step_config] + list_join: + - "\n" + - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }" + - {get_attr: [NovaApiBase, role_data, step_config]} service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index 21aff31a..1160031f 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -56,7 +56,7 @@ outputs: - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ] kolla_config: /var/lib/kolla/config_files/zaqar.json: - command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf + command: /usr/sbin/httpd -DFOREGROUND /var/lib/kolla/config_files/zaqar_websocket.json: command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf docker_config: @@ -66,9 +66,13 @@ outputs: net: host privileged: false restart: always + # NOTE(mandre) kolla image changes the user to 'zaqar', we need it + # to be root to run httpd + user: root volumes: - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro + - /var/lib/config-data/zaqar/etc/httpd:/etc/httpd/:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro environment: @@ -88,5 +92,4 @@ outputs: upgrade_tasks: - name: Stop and disable zaqar service tags: step2 - service: name=openstack-zaqar.service state=stopped enabled=no - + service: name=httpd state=stopped enabled=no |