8 files changed, 59 insertions, 8 deletions

diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index c364d039..909a2c8a 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -61,7 +61,10 @@ def rm_container(name):
                                stderr=subprocess.PIPE)
     cmd_stdout, cmd_stderr = subproc.communicate()
     print(cmd_stdout)
-    print(cmd_stderr)
+    if cmd_stderr and \
+            cmd_stderr != 'Error response from daemon: ' \
+            'No such container: {}\n'.format(name):
+        print(cmd_stderr)
 
 process_count = int(os.environ.get('PROCESS_COUNT',
                                    multiprocessing.cpu_count()))
@@ -202,6 +205,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                 '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
                 '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw',
                 '--volume', 'tripleo_logs:/var/log/tripleo/',
+                # OpenSSL trusted CA injection
+                '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
+                '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
+                # script injection
                 '--volume', '%s:%s:rw' % (sh_script, sh_script) ]
 
         for volume in volumes:
diff --git a/docker/docker-steps.j2 b/docker/docker-steps.j2
index 301d838f..f0af8e25 100644
--- a/docker/docker-steps.j2
+++ b/docker/docker-steps.j2
@@ -1,7 +1,14 @@
 # certain initialization steps (run in a container) will occur
-# on the first role listed in the roles file
-{% set primary_role_name = roles[0].name -%}
-
+# on the role marked as primary controller or the first role listed
+{%- set primary_role = [roles[0]] -%}
+{%- for role in roles -%}
+  {%- if 'primary' in role.tags and 'controller' in role.tags -%}
+    {%- set _ = primary_role.pop() -%}
+    {%- set _ = primary_role.append(role) -%}
+  {%- endif -%}
+{%- endfor -%}
+{%- set primary_role_name = primary_role[0].name -%}
+# primary role is: {{primary_role_name}}
 heat_template_version: ocata
 
 description: >
diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml
index 08f4b56b..659785aa 100644
--- a/docker/services/gnocchi-api.yaml
+++ b/docker/services/gnocchi-api.yaml
@@ -96,3 +96,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable httpd service
+          tags: step2
+          service: name=httpd state=stopped enabled=no
diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml
index 6b41eaa3..78494d66 100644
--- a/docker/services/gnocchi-metricd.yaml
+++ b/docker/services/gnocchi-metricd.yaml
@@ -71,3 +71,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable openstack-gnocchi-metricd service
+          tags: step2
+          service: name=openstack-gnocchi-metricd.service state=stopped enabled=no
diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml
index 93b616c4..7f439846 100644
--- a/docker/services/gnocchi-statsd.yaml
+++ b/docker/services/gnocchi-statsd.yaml
@@ -71,3 +71,7 @@ outputs:
               - /etc/localtime:/etc/localtime:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      upgrade_tasks:
+        - name: Stop and disable openstack-gnocchi-statsd service
+          tags: step2
+          service: name=openstack-gnocchi-statsd.service state=stopped enabled=no
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9f..526a357b 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 4cd48b75..97fafb09 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -50,7 +50,10 @@ outputs:
           - get_attr: [NovaApiBase, role_data, config_settings]
           - apache::default_vhost: false
       step_config: &step_config
-        get_attr: [NovaApiBase, role_data, step_config]
+        list_join:
+          - "\n"
+          - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }"
+            - {get_attr: [NovaApiBase, role_data, step_config]}
       service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml
index 21aff31a..1160031f 100644
--- a/docker/services/zaqar.yaml
+++ b/docker/services/zaqar.yaml
@@ -56,7 +56,7 @@ outputs:
             - [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ]
       kolla_config:
         /var/lib/kolla/config_files/zaqar.json:
-          command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf
+          command: /usr/sbin/httpd -DFOREGROUND
         /var/lib/kolla/config_files/zaqar_websocket.json:
           command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
       docker_config:
@@ -66,9 +66,13 @@ outputs:
             net: host
             privileged: false
             restart: always
+            # NOTE(mandre) kolla image changes the user to 'zaqar', we need it
+            # to be root to run httpd
+            user: root
             volumes:
               - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
               - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
+              - /var/lib/config-data/zaqar/etc/httpd:/etc/httpd/:ro
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
             environment:
@@ -88,5 +92,4 @@ outputs:
       upgrade_tasks:
         - name: Stop and disable zaqar service
           tags: step2
-          service: name=openstack-zaqar.service state=stopped enabled=no
-
+          service: name=httpd state=stopped enabled=no