diff options
Diffstat (limited to 'docker')
49 files changed, 936 insertions, 121 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 4659cf53..cc247031 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -26,6 +26,7 @@ import sys import subprocess import sys import tempfile +import time import multiprocessing logger = None @@ -59,10 +60,23 @@ def short_hostname(): def pull_image(name): log.info('Pulling image: %s' % name) - subproc = subprocess.Popen(['/usr/bin/docker', 'pull', name], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - cmd_stdout, cmd_stderr = subproc.communicate() + retval = -1 + count = 0 + while retval != 0: + count += 1 + subproc = subprocess.Popen(['/usr/bin/docker', 'pull', name], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + + cmd_stdout, cmd_stderr = subproc.communicate() + retval = subproc.returncode + if retval != 0: + time.sleep(3) + log.warning('docker pull failed: %s' % cmd_stderr) + log.warning('retrying pulling image: %s' % name) + if count >= 5: + log.error('Failed to pull image: %s' % name) + break if cmd_stdout: log.debug(cmd_stdout) if cmd_stderr: @@ -257,7 +271,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '%s:/etc/config.pp:ro' % tmp_man.name, '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', - '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw', + '--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'), '--volume', 'tripleo_logs:/var/log/tripleo/', # Syslog socket for puppet logs '--volume', '/dev/log:/dev/log', @@ -366,6 +380,7 @@ for infile in infiles: outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile)) with open(outfile, 'w') as out_f: + os.chmod(out_f.name, 0600) json.dump(infile_data, out_f) if not success: diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml index da4b981c..49c5f9c5 100644 --- a/docker/services/aodh-api.yaml +++ b/docker/services/aodh-api.yaml @@ -102,7 +102,8 @@ outputs: user: root volumes: - /var/log/containers/aodh:/var/log/aodh - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R aodh:aodh /var/log/aodh'] + - /var/log/containers/httpd/aodh-api:/var/log/httpd + command: ['/bin/bash', '-c', 'chown -R aodh:aodh /var/log/aodh'] step_3: aodh_db_sync: image: *aodh_api_image @@ -117,6 +118,7 @@ outputs: - /var/lib/config-data/aodh/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro - /var/log/containers/aodh:/var/log/aodh + - /var/log/containers/httpd/aodh-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec aodh_api su aodh -s /bin/bash -c /usr/bin/aodh-dbsync" step_4: aodh_api: @@ -131,6 +133,7 @@ outputs: - /var/lib/kolla/config_files/aodh_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro - /var/log/containers/aodh:/var/log/aodh + - /var/log/containers/httpd/aodh-api:/var/log/httpd - if: - internal_tls_enabled @@ -146,8 +149,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/aodh + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/aodh + - /var/log/containers/httpd/aodh-api upgrade_tasks: - name: Stop and disable aodh service (running under httpd) tags: step2 diff --git a/docker/services/ceilometer-agent-central.yaml b/docker/services/ceilometer-agent-central.yaml index 424c316f..d772462d 100644 --- a/docker/services/ceilometer-agent-central.yaml +++ b/docker/services/ceilometer-agent-central.yaml @@ -69,7 +69,7 @@ outputs: config_image: {get_param: DockerCeilometerConfigImage} kolla_config: /var/lib/kolla/config_files/ceilometer_agent_central.json: - command: /usr/bin/ceilometer-polling --polling-namespaces central + command: /usr/bin/ceilometer-polling --polling-namespaces central --logfile /var/log/ceilometer/central.log config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" @@ -116,6 +116,11 @@ outputs: - '/usr/bin/bootstrap_host_exec' - 'ceilometer_agent_central' - "su ceilometer -s /bin/bash -c 'for n in {1..10}; do /usr/bin/ceilometer-upgrade --skip-metering-database && exit 0 || sleep 5; done; exit 1'" + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/ceilometer + state: directory upgrade_tasks: - name: Stop and disable ceilometer agent central service tags: step2 diff --git a/docker/services/ceilometer-agent-compute.yaml b/docker/services/ceilometer-agent-compute.yaml index 535b1693..90b30d46 100644 --- a/docker/services/ceilometer-agent-compute.yaml +++ b/docker/services/ceilometer-agent-compute.yaml @@ -69,7 +69,7 @@ outputs: config_image: {get_param: DockerCeilometerConfigImage} kolla_config: /var/lib/kolla/config_files/ceilometer_agent_compute.json: - command: /usr/bin/ceilometer-polling --polling-namespaces compute + command: /usr/bin/ceilometer-polling --polling-namespaces compute --logfile /var/log/ceilometer/compute.log config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" @@ -89,8 +89,14 @@ outputs: - /var/lib/kolla/config_files/ceilometer_agent_compute.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer/:/var/lib/kolla/config_files/src:ro - /var/run/libvirt:/var/run/libvirt:ro + - /var/log/containers/ceilometer:/var/log/ceilometer environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/ceilometer + state: directory upgrade_tasks: - name: Check if openstack-ceilometer-compute is deployed command: systemctl is-enabled openstack-ceilometer-compute @@ -99,14 +105,14 @@ outputs: register: openstack_ceilometer_compute_enabled - name: Check if openstack-ceilometer-polling is deployed command: systemctl is-enabled openstack-ceilometer-polling - tags: step2 + tags: step2 ignore_errors: True register: openstack_ceilometer_polling_enabled - name: Stop and disable ceilometer compute agent tags: step2 service: name=openstack-ceilometer-compute state=stopped enabled=no - when: openstack_ceilometer_compute_enabled.rc == 0 + when: openstack_ceilometer_compute_enabled.rc|default('') == 0 - name: Stop and disable ceilometer polling agent tags: step2 service: name=openstack-ceilometer-polling state=stopped enabled=no - when: openstack_ceilometer_polling_enabled.rc == 0 + when: openstack_ceilometer_polling_enabled.rc|default('') == 0 diff --git a/docker/services/ceilometer-agent-notification.yaml b/docker/services/ceilometer-agent-notification.yaml index 7f1d442a..891750ad 100644 --- a/docker/services/ceilometer-agent-notification.yaml +++ b/docker/services/ceilometer-agent-notification.yaml @@ -69,12 +69,20 @@ outputs: config_image: {get_param: DockerCeilometerConfigImage} kolla_config: /var/lib/kolla/config_files/ceilometer_agent_notification.json: - command: /usr/bin/ceilometer-agent-notification + command: /usr/bin/ceilometer-agent-notification --logfile /var/log/ceilometer/agent-notification.log config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-panko/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /etc/panko + owner: root:ceilometer + recurse: true docker_config: step_3: ceilometer_init_log: @@ -96,8 +104,15 @@ outputs: - - /var/lib/kolla/config_files/ceilometer_agent_notification.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer/:/var/lib/kolla/config_files/src:ro + - /var/lib/config-data/puppet-generated/panko/:/var/lib/kolla/config_files/src-panko:ro + - /var/log/containers/ceilometer:/var/log/ceilometer environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/ceilometer + state: directory upgrade_tasks: - name: Stop and disable ceilometer agent notification service tags: step2 diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index bf2c86c4..b60f98c2 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -58,13 +58,17 @@ parameters: type: string description: List of ceph-ansible tags to skip default: 'package-install,with_pkg' + CephConfigOverrides: + type: json + description: Extra config settings to dump into ceph.conf + default: {} CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID. CephPoolDefaultPgNum: description: default pg_num to use for the RBD pools type: number - default: 32 + default: 128 CephPools: description: > It can be used to override settings for one of the predefined pools, or to create @@ -100,6 +104,14 @@ parameters: CephClientUserName: default: openstack type: string + CephRgwClientName: + default: radosgw + type: string + CephRgwKey: + description: The cephx key for the radosgw client. Can be created + with ceph-authtool --gen-print-key. + type: string + hidden: true CephPoolDefaultSize: description: default minimum replication for RBD copies type: number @@ -115,10 +127,13 @@ parameters: CephIPv6: default: False type: boolean + SwiftPassword: + description: The password for the swift service account + type: string + hidden: true DockerCephDaemonImage: description: image type: string - default: 'ceph/daemon:tag-build-master-jewel-centos-7' conditions: custom_registry_host: @@ -167,7 +182,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: + workflow_tasks: step2: - name: ceph_base_ansible_workflow workflow: { get_param: CephAnsibleWorkflowName } @@ -241,16 +256,36 @@ outputs: - - client - {get_param: ManilaCephFSNativeCephFSAuthId} key: {get_param: CephManilaClientKey} - mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create" + mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"' mds_cap: "allow *" osd_cap: "allow rw" mode: "0644" + - name: + list_join: + - '.' + - - client + - {get_param: CephRgwClientName} + key: {get_param: CephRgwKey} + mon_cap: "allow rw" + osd_cap: "allow rwx" + mode: "0644" keys: *openstack_keys pools: [] ceph_conf_overrides: - global: - osd_pool_default_size: {get_param: CephPoolDefaultSize} - osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} + map_merge: + - global: + osd_pool_default_size: {get_param: CephPoolDefaultSize} + osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum} + osd_pool_default_pgp_num: {get_param: CephPoolDefaultPgNum} + rgw_keystone_api_version: 3 + rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + rgw_keystone_accepted_roles: 'Member, _member_, admin' + rgw_keystone_admin_domain: default + rgw_keystone_admin_project: service + rgw_keystone_admin_user: swift + rgw_keystone_admin_password: {get_param: SwiftPassword} + rgw_s3_auth_use_keystone: 'true' + - {get_param: CephConfigOverrides} ntp_service_enabled: false generate_fsid: false ip_version: diff --git a/docker/services/ceph-ansible/ceph-client.yaml b/docker/services/ceph-ansible/ceph-client.yaml index 55d8d9da..0b782941 100644 --- a/docker/services/ceph-ansible/ceph-client.yaml +++ b/docker/services/ceph-ansible/ceph-client.yaml @@ -54,5 +54,5 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: {} diff --git a/docker/services/ceph-ansible/ceph-external.yaml b/docker/services/ceph-ansible/ceph-external.yaml new file mode 100644 index 00000000..bb2fc20a --- /dev/null +++ b/docker/services/ceph-ansible/ceph-external.yaml @@ -0,0 +1,66 @@ +heat_template_version: pike + +description: > + Ceph External service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephExternalMonHost: + default: '' + type: string + description: List of externally managed Ceph Mon Host IPs. Only used for external Ceph deployments. + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph External service. + value: + service_name: ceph_client + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} + config_settings: + ceph_client_ansible_vars: + map_merge: + - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - external_cluster_mon_ips: {get_param: CephExternalMonHost}
\ No newline at end of file diff --git a/docker/services/ceph-ansible/ceph-mds.yaml b/docker/services/ceph-ansible/ceph-mds.yaml index 4ef3a669..abdb3c3f 100644 --- a/docker/services/ceph-ansible/ceph-mds.yaml +++ b/docker/services/ceph-ansible/ceph-mds.yaml @@ -68,7 +68,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_mds.firewall_rules: diff --git a/docker/services/ceph-ansible/ceph-mon.yaml b/docker/services/ceph-ansible/ceph-mon.yaml index 90149d1e..45f939c2 100644 --- a/docker/services/ceph-ansible/ceph-mon.yaml +++ b/docker/services/ceph-ansible/ceph-mon.yaml @@ -71,7 +71,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_mon.firewall_rules: diff --git a/docker/services/ceph-ansible/ceph-osd.yaml b/docker/services/ceph-ansible/ceph-osd.yaml index 6e0f4a60..a441f5c9 100644 --- a/docker/services/ceph-ansible/ceph-osd.yaml +++ b/docker/services/ceph-ansible/ceph-osd.yaml @@ -38,6 +38,7 @@ parameters: - /dev/vdb journal_size: 512 journal_collocation: true + osd_scenario: collocated resources: CephBase: @@ -62,7 +63,7 @@ outputs: config_volume: '' step_config: '' docker_config: {} - service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} config_settings: map_merge: - tripleo.ceph_osd.firewall_rules: @@ -72,4 +73,5 @@ outputs: - ceph_osd_ansible_vars: map_merge: - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - osd_objectstore: filestore - {get_param: CephAnsibleDisksConfig}
\ No newline at end of file diff --git a/docker/services/ceph-ansible/ceph-rgw.yaml b/docker/services/ceph-ansible/ceph-rgw.yaml new file mode 100644 index 00000000..4479fdbf --- /dev/null +++ b/docker/services/ceph-ansible/ceph-rgw.yaml @@ -0,0 +1,87 @@ +heat_template_version: pike + +description: > + Ceph RadosGW service. + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SwiftPassword: + description: The password for the swift service account + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +resources: + CephBase: + type: ./ceph-base.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for the Ceph RadosGW service. + value: + service_name: ceph_rgw + upgrade_tasks: [] + step_config: '' + puppet_config: + config_image: '' + config_volume: '' + step_config: '' + docker_config: {} + workflow_tasks: {get_attr: [CephBase, role_data, workflow_tasks]} + config_settings: + map_merge: + - tripleo.ceph_rgw.firewall_rules: + '122 ceph rgw': + dport: {get_param: [EndpointMap, CephRgwInternal, port]} + - ceph_rgw_ansible_vars: + map_merge: + - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]} + - radosgw_keystone: true + radosgw_keystone_ssl: false + radosgw_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]} + radosgw_civetweb_port: {get_param: [EndpointMap, CephRgwInternal, port]} + service_config_settings: + keystone: + ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} + ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} + ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} + ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} + ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml index 519b2328..06705309 100644 --- a/docker/services/cinder-api.yaml +++ b/docker/services/cinder-api.yaml @@ -111,6 +111,7 @@ outputs: user: root volumes: - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/httpd/cinder-api:/var/log/httpd command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_3: cinder_api_db_sync: @@ -125,6 +126,7 @@ outputs: - - /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/httpd/cinder-api:/var/log/httpd command: - '/usr/bin/bootstrap_host_exec' - 'cinder_api' @@ -145,6 +147,7 @@ outputs: - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/httpd/cinder-api:/var/log/httpd - if: - internal_tls_enabled @@ -163,6 +166,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -170,6 +175,7 @@ outputs: - /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/httpd/cinder-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -178,8 +184,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/cinder + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/cinder + - /var/log/containers/httpd/cinder-api upgrade_tasks: - name: Stop and disable cinder_api service tags: step2 diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 2c894da5..9f982f8b 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -64,6 +64,7 @@ outputs: # Syslog socket - /dev/log:/dev/log - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + - /sys/fs/selinux:/sys/fs/selinux - if: - internal_tls_enabled - - list_join: diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 9b5c5b8f..5cf6f925 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -157,6 +157,11 @@ outputs: metadata_settings: get_attr: [MongodbPuppetBase, role_data, metadata_settings] upgrade_tasks: + - name: Check for mongodb service + stat: path=/usr/lib/systemd/system/mongod.service + tags: common + register: mongod_service - name: Stop and disable mongodb service tags: step2 service: name=mongod state=stopped enabled=no + when: mongod_service.stat.exists diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 980a8c6d..487b4c67 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../containers-common.yaml + RedisBase: type: ../../../puppet/services/database/redis.yaml properties: @@ -56,6 +66,8 @@ outputs: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} - redis::daemonize: false + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: &step_config get_attr: [RedisBase, role_data, step_config] service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} @@ -80,31 +92,60 @@ outputs: - path: /var/run/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: - redis_init_logs: - start_order: 0 - detach: false - image: &redis_image {get_param: DockerRedisImage} - privileged: false - user: root - volumes: - - /var/log/containers/redis:/var/log/redis - command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] - redis: - start_order: 1 - image: *redis_image - net: host - privileged: false - restart: always - volumes: - - /run:/run - - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /var/log/containers/redis:/var/log/redis - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - redis_init_logs: + start_order: 0 + detach: false + image: &redis_image {get_param: DockerRedisImage} + privileged: false + user: root + volumes: + - /var/log/containers/redis:/var/log/redis + command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] + - redis: + start_order: 1 + image: *redis_image + net: host + privileged: false + restart: always + volumes: + - /run:/run + - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/localtime:/etc/localtime:ro + - /var/log/containers/redis:/var/log/redis + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 2 + image: *redis_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index df226b15..8f2bd604 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -118,6 +118,7 @@ outputs: user: root volumes: - /var/log/containers/glance:/var/log/glance + - /var/log/containers/httpd/glance-api:/var/log/httpd command: ['/bin/bash', '-c', 'chown -R glance:glance /var/log/glance'] step_3: glance_api_db_sync: @@ -133,6 +134,7 @@ outputs: - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json - /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro - /var/log/containers/glance:/var/log/glance + - /var/log/containers/httpd/glance-api:/var/log/httpd - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - if: @@ -176,8 +178,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/glance + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/glance + - /var/log/containers/httpd/glance-api - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 1443da40..47b3b811 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -104,7 +104,8 @@ outputs: user: root volumes: - /var/log/containers/gnocchi:/var/log/gnocchi - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R gnocchi:gnocchi /var/log/gnocchi'] + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd + command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi'] step_4: gnocchi_db_sync: image: *gnocchi_api_image @@ -119,6 +120,7 @@ outputs: - /var/lib/config-data/gnocchi/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /var/log/containers/gnocchi:/var/log/gnocchi + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd - /etc/ceph:/etc/ceph:ro command: str_replace: @@ -138,6 +140,7 @@ outputs: - /var/lib/kolla/config_files/gnocchi_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - /var/log/containers/gnocchi:/var/log/gnocchi + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - if: @@ -154,8 +157,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/gnocchi + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/gnocchi + - /var/log/containers/httpd/gnocchi-api - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 5a6958a0..9a114458 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -90,7 +90,7 @@ outputs: owner: gnocchi:gnocchi recurse: true docker_config: - step_4: + step_5: gnocchi_metricd: image: {get_param: DockerGnocchiMetricdImage} net: host diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 2957312b..834d0055 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -90,7 +90,7 @@ outputs: owner: gnocchi:gnocchi recurse: true docker_config: - step_4: + step_5: gnocchi_statsd: image: {get_param: DockerGnocchiStatsdImage} net: host diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index f0e2f71d..70e1f893 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -96,8 +96,7 @@ outputs: config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] - - tripleo::haproxy::haproxy_daemon: false - tripleo::haproxy::haproxy_service_manage: false + - tripleo::haproxy::haproxy_service_manage: false # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy # when this is updated tripleo::haproxy::crl_file: null @@ -130,7 +129,7 @@ outputs: - null kolla_config: /var/lib/kolla/config_files/haproxy.json: - command: haproxy -f /etc/haproxy/haproxy.cfg + command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index 70612899..cfe11cd6 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -107,6 +107,7 @@ outputs: - /var/lib/kolla/config_files/heat_api_cfn.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/heat_api_cfn/:/var/lib/kolla/config_files/src:ro - /var/log/containers/heat:/var/log/heat + - /var/log/containers/httpd/heat-api-cfn:/var/log/httpd - if: - internal_tls_enabled @@ -122,8 +123,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/heat + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/heat + - /var/log/containers/httpd/heat-api-cfn upgrade_tasks: - name: Check if heat_api_cfn is deployed command: systemctl is-enabled openstack-heat-api-cfn diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index 54c7bedd..2bb588de 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -118,6 +118,7 @@ outputs: - /var/lib/kolla/config_files/heat_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/heat_api/:/var/lib/kolla/config_files/src:ro - /var/log/containers/heat:/var/log/heat + - /var/log/containers/httpd/heat-api:/var/log/httpd - if: - internal_tls_enabled @@ -136,6 +137,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -143,13 +146,17 @@ outputs: - /var/lib/kolla/config_files/heat_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/heat_api/:/var/lib/kolla/config_files/src:ro - /var/log/containers/heat:/var/log/heat + - /var/log/containers/httpd/heat-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/heat + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/heat + - /var/log/containers/httpd/heat-api upgrade_tasks: - name: Check is heat_api is deployed command: systemctl is-enabled openstack-heat-api diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml index f2f2b8dc..9a2c8bad 100644 --- a/docker/services/horizon.yaml +++ b/docker/services/horizon.yaml @@ -110,6 +110,7 @@ outputs: command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - /var/log/containers/horizon:/var/log/horizon + - /var/log/containers/httpd/horizon:/var/log/httpd - /var/lib/config-data/horizon/etc/:/etc/ step_3: horizon: @@ -124,6 +125,7 @@ outputs: - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon + - /var/log/containers/httpd/horizon:/var/log/httpd - if: - internal_tls_enabled @@ -139,8 +141,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/horizon + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/horizon + - /var/log/containers/httpd/horizon upgrade_tasks: - name: Stop and disable horizon service (running under httpd) tags: step2 diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 2a9735b5..38710f3b 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -97,6 +97,7 @@ outputs: user: root volumes: - /var/log/containers/ironic:/var/log/ironic + - /var/log/containers/httpd/ironic-api:/var/log/httpd command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic'] step_3: ironic_db_sync: @@ -112,6 +113,7 @@ outputs: - - /var/lib/config-data/ironic_api/etc/ironic:/etc/ironic:ro - /var/log/containers/ironic:/var/log/ironic + - /var/log/containers/httpd/ironic-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'" step_4: ironic_api: @@ -127,13 +129,17 @@ outputs: - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_api/:/var/lib/kolla/config_files/src:ro - /var/log/containers/ironic:/var/log/ironic + - /var/log/containers/httpd/ironic-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/ironic + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/ironic + - /var/log/containers/httpd/ironic-api upgrade_tasks: - name: Stop and disable ironic_api service tags: step2 diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index 48d2e1ee..878eef63 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -92,6 +92,7 @@ outputs: - /var/lib/ironic:/var/lib/ironic/ - /dev/log:/dev/log - /var/log/containers/ironic:/var/log/ironic + - /var/log/containers/httpd/ironic-pxe:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_pxe_http: @@ -108,6 +109,7 @@ outputs: - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro - /var/lib/ironic:/var/lib/ironic/ - /var/log/containers/ironic:/var/log/ironic + - /var/log/containers/httpd/ironic-pxe:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -118,3 +120,4 @@ outputs: with_items: - /var/lib/ironic - /var/log/containers/ironic + - /var/log/containers/httpd/ironic-pxe diff --git a/docker/services/iscsid.yaml b/docker/services/iscsid.yaml index 80519800..c34a59d5 100644 --- a/docker/services/iscsid.yaml +++ b/docker/services/iscsid.yaml @@ -109,7 +109,7 @@ outputs: - name: Stop and disable iscsid service tags: step2 service: name=iscsid state=stopped enabled=no - when: stat_iscsid_service.stat.exists + when: (stat_iscsid_service.stat|default('')).exists|default(false) - name: stat /lib/systemd/system/iscsid.socket tags: step2 stat: path=/lib/systemd/system/iscsid.socket @@ -117,4 +117,4 @@ outputs: - name: Stop and disable iscsid.socket service tags: step2 service: name=iscsid.socket state=stopped enabled=no - when: stat_iscsid_socket.stat.exists + when: (stat_iscsid_socket.stat|default('')).exists|default(false) diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml index 4c2c1d16..8f4a2014 100644 --- a/docker/services/keystone.yaml +++ b/docker/services/keystone.yaml @@ -121,9 +121,10 @@ outputs: keystone_init_log: image: &keystone_image {get_param: DockerKeystoneImage} user: root - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R keystone:keystone /var/log/keystone'] + command: ['/bin/bash', '-c', 'chown -R keystone:keystone /var/log/keystone'] volumes: - /var/log/containers/keystone:/var/log/keystone + - /var/log/containers/httpd/keystone:/var/log/httpd step_3: keystone_db_sync: image: *keystone_image @@ -138,6 +139,7 @@ outputs: - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro - /var/log/containers/keystone:/var/log/keystone + - /var/log/containers/httpd/keystone:/var/log/httpd - if: - internal_tls_enabled @@ -175,6 +177,8 @@ outputs: privileged: false restart: always command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n'] + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -182,6 +186,7 @@ outputs: - /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro - /var/log/containers/keystone:/var/log/keystone + - /var/log/containers/httpd/keystone:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -194,8 +199,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/keystone + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/keystone + - /var/log/containers/httpd/keystone upgrade_tasks: - name: Stop and disable keystone service (running under httpd) tags: step2 diff --git a/docker/services/manila-api.yaml b/docker/services/manila-api.yaml index 7b2dbfaf..a0e501ec 100644 --- a/docker/services/manila-api.yaml +++ b/docker/services/manila-api.yaml @@ -90,7 +90,8 @@ outputs: user: root volumes: - /var/log/containers/manila:/var/log/manila - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R manila:manila /var/log/manila'] + - /var/log/containers/httpd/manila-api:/var/log/httpd + command: ['/bin/bash', '-c', 'chown -R manila:manila /var/log/manila'] step_3: manila_api_db_sync: user: root @@ -103,6 +104,7 @@ outputs: - - /var/lib/config-data/manila/etc/manila/:/etc/manila/:ro - /var/log/containers/manila:/var/log/manila + - /var/log/containers/httpd/manila-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec manila_api su manila -s /bin/bash -c '/usr/bin/manila-manage db sync'" step_4: manila_api: @@ -116,13 +118,17 @@ outputs: - /var/lib/kolla/config_files/manila_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro - /var/log/containers/manila:/var/log/manila + - /var/log/containers/httpd/manila-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: Create persistent manila logs directory file: - path: /var/log/containers/manila + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/manila + - /var/log/containers/httpd/manila-api upgrade_tasks: - name: Stop and disable manila_api service tags: step2 diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml index 85a07128..c028fc28 100644 --- a/docker/services/neutron-api.yaml +++ b/docker/services/neutron-api.yaml @@ -110,6 +110,7 @@ outputs: user: root volumes: - /var/log/containers/neutron:/var/log/neutron + - /var/log/containers/httpd/neutron-api:/var/log/httpd command: ['/bin/bash', '-c', 'chown -R neutron:neutron /var/log/neutron'] step_3: neutron_db_sync: @@ -126,6 +127,7 @@ outputs: - /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro - /var/lib/config-data/neutron/usr/share/neutron:/usr/share/neutron:ro - /var/log/containers/neutron:/var/log/neutron + - /var/log/containers/httpd/neutron-api:/var/log/httpd command: ['/usr/bin/bootstrap_host_exec', 'neutron_api', 'neutron-db-manage', 'upgrade', 'heads'] # FIXME: we should make config file permissions right # and run as neutron user @@ -144,6 +146,7 @@ outputs: - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /var/log/containers/neutron:/var/log/neutron + - /var/log/containers/httpd/neutron-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -167,8 +170,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/neutron + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/neutron + - /var/log/containers/httpd/neutron-api upgrade_tasks: - name: Check if neutron_server is deployed command: systemctl is-enabled neutron-server diff --git a/docker/services/neutron-sriov-agent.yaml b/docker/services/neutron-sriov-agent.yaml new file mode 100644 index 00000000..a9914987 --- /dev/null +++ b/docker/services/neutron-sriov-agent.yaml @@ -0,0 +1,108 @@ +heat_template_version: pike + +description: > + OpenStack Neutron SR-IOV service + +parameters: + DockerNeutronSriovImage: + description: The container image to use for the Neutron SR-IOV agent + type: string + DockerNeutronConfigImage: + description: The container image to use for the neutron config_volume + type: string + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + + ContainersCommon: + type: ./containers-common.yaml + + NeutronSriovAgentBase: + type: ../../puppet/services/neutron-sriov-agent.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + +outputs: + role_data: + description: Role data for Neutron sriov service + value: + service_name: {get_attr: [NeutronSriovAgentBase, role_data, service_name]} + config_settings: {get_attr: [NeutronSriovAgentBase, role_data, config_settings]} + step_config: &step_config + get_attr: [NeutronSriovAgentBase, role_data, step_config] + puppet_config: + config_volume: neutron + puppet_tags: neutron_config,neutron_agent_sriov_numvfs,neutron_sriov_agent_config + step_config: *step_config + config_image: {get_param: DockerNeutronConfigImage} + kolla_config: + /var/lib/kolla/config_files/neutron_sriov_agent.json: + command: /usr/bin/neutron-sriov-nic-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/sriov_agent.ini --config-dir /etc/neutron/conf.d/common + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + permissions: + - path: /var/log/neutron + owner: neutron:neutron + recurse: true + docker_config: + step_4: + neutron_sriov_agent: + image: {get_param: DockerNeutronSriovImage} + net: host + pid: host + privileged: true + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/neutron_sriov_agent.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro + - /lib/modules:/lib/modules:ro + - /run:/run + - /var/log/containers/neutron:/var/log/neutron + - /sys/class/net:/sys/class/net:rw + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + host_prep_tasks: + - name: create persistent logs directory + file: + path: /var/log/containers/neutron + state: directory + upgrade_tasks: + - name: Stop and disable neutron_sriov_agent service + tags: step2 + service: name=neutron-sriov-nic-agent state=stopped enabled=no diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index 37c4da5b..9f1ae865 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -116,7 +116,8 @@ outputs: user: root volumes: - /var/log/containers/nova:/var/log/nova - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R nova:nova /var/log/nova'] + - /var/log/containers/httpd/nova-api:/var/log/httpd + command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova'] step_3: nova_api_db_sync: start_order: 0 @@ -131,6 +132,7 @@ outputs: - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - /var/log/containers/nova:/var/log/nova + - /var/log/containers/httpd/nova-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage api_db sync'" # FIXME: we probably want to wait on the 'cell_v2 update' in order for this # to be capable of upgrading a baremetal setup. This is to ensure the name @@ -178,6 +180,7 @@ outputs: - /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro - /var/log/containers/nova:/var/log/nova + - /var/log/containers/httpd/nova-api:/var/log/httpd - if: - internal_tls_enabled @@ -196,6 +199,8 @@ outputs: user: root privileged: false restart: always + healthcheck: + test: /bin/true volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -203,6 +208,7 @@ outputs: - /var/lib/kolla/config_files/nova_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro - /var/log/containers/nova:/var/log/nova + - /var/log/containers/httpd/nova-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_5: @@ -213,14 +219,17 @@ outputs: detach: false volumes: *nova_api_bootstrap_volumes user: root - command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 discover_hosts'" + command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage cell_v2 discover_hosts --verbose'" metadata_settings: get_attr: [NovaApiBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/nova + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/nova + - /var/log/containers/httpd/nova-api upgrade_tasks: - name: Stop and disable nova_api service tags: step2 diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 39d1740c..bf7841be 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -41,6 +41,10 @@ parameters: description: Port that dockerized nova migration target sshd service binds to. type: number + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: '' resources: @@ -142,6 +146,13 @@ outputs: path: /etc/ceph state: directory upgrade_tasks: + - name: Set compute upgrade level to auto + tags: step1 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} - name: Stop and disable nova-compute service tags: step2 service: name=openstack-nova-compute state=stopped enabled=no diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml index ae737056..17d137cc 100644 --- a/docker/services/nova-conductor.yaml +++ b/docker/services/nova-conductor.yaml @@ -36,7 +36,10 @@ parameters: default: {} description: Parameters specific to the role type: json - + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: '' resources: @@ -108,6 +111,13 @@ outputs: path: /var/log/containers/nova state: directory upgrade_tasks: + - name: Set compute upgrade level to auto + tags: step1 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} - name: Stop and disable nova_conductor service tags: step2 service: name=openstack-nova-conductor state=stopped enabled=no diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 8f151cfe..d20c093d 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -204,6 +204,7 @@ outputs: - /var/lib/libvirt:/var/lib/libvirt - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/log/containers/nova:/var/log/nova + - /var/lib/vhost_sockets:/var/lib/vhost_sockets - if: - use_tls_for_live_migration @@ -252,6 +253,30 @@ outputs: - /etc/libvirt/qemu - /var/lib/libvirt - /var/log/containers/nova + # qemu user on host will be cretaed by libvirt package install, ensure + # the qemu user created with same uid/gid as like libvirt package. + # These specific values are required since ovs is running on host. + # Once ovs with DPDK is containerized, we could modify this uid/gid + # to match with kolla config values. + - name: ensure qemu group is present on the host + group: + name: qemu + gid: 107 + state: present + - name: ensure qemu user is present on the host + user: + name: qemu + uid: 107 + group: qemu + state: present + shell: /sbin/nologin + comment: qemu user + - name: create directory for vhost-user sockets with qemu ownership + file: + path: /var/lib/vhost_sockets + state: directory + owner: qemu + group: qemu - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/nova-placement.yaml b/docker/services/nova-placement.yaml index 26d17560..d66a6fb8 100644 --- a/docker/services/nova-placement.yaml +++ b/docker/services/nova-placement.yaml @@ -111,6 +111,7 @@ outputs: - /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova_placement/:/var/lib/kolla/config_files/src:ro - /var/log/containers/nova:/var/log/nova + - /var/log/containers/httpd/nova-placement:/var/log/httpd - if: - internal_tls_enabled @@ -128,8 +129,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/nova + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/nova + - /var/log/containers/httpd/nova-placement upgrade_tasks: - name: Stop and disable nova_placement service (running under httpd) tags: step2 diff --git a/docker/services/octavia-api.yaml b/docker/services/octavia-api.yaml index 86730ebc..da698991 100644 --- a/docker/services/octavia-api.yaml +++ b/docker/services/octavia-api.yaml @@ -111,6 +111,7 @@ outputs: # configuration. - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/ - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/httpd/octavia-api:/var/log/httpd command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia'] step_3: octavia_db_sync: @@ -126,6 +127,7 @@ outputs: - - /var/lib/config-data/octavia/etc/octavia/:/etc/octavia/:ro - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/httpd/octavia-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'" step_4: map_merge: @@ -142,6 +144,7 @@ outputs: - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/httpd/octavia-api:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -166,8 +169,11 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/octavia + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/octavia + - /var/log/containers/httpd/octavia-api upgrade_tasks: - name: Stop and disable octavia_api service tags: step2 diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml index 6a62f65e..2a6fcfe8 100644 --- a/docker/services/opendaylight-api.yaml +++ b/docker/services/opendaylight-api.yaml @@ -97,10 +97,21 @@ outputs: - - /var/lib/kolla/config_files/opendaylight_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro + - /var/log/containers/opendaylight:/opt/opendaylight/data/log + - /var/lib/opendaylight/journal:/opt/opendaylight/journal + - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/opendaylight + - /var/lib/opendaylight/snapshots + - /var/lib/opendaylight/journal upgrade_tasks: - name: Stop and disable opendaylight_api service tags: step2 - service: name=opendaylight state=stopped enabled=no + service: name=opendaylight state=stopped enabled=no
\ No newline at end of file diff --git a/docker/services/pacemaker/cinder-backup.yaml b/docker/services/pacemaker/cinder-backup.yaml index c2117c04..cdb8c1bc 100644 --- a/docker/services/pacemaker/cinder-backup.yaml +++ b/docker/services/pacemaker/cinder-backup.yaml @@ -188,6 +188,9 @@ outputs: resource: openstack-cinder-backup state: disable wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Delete the stopped openstack-cinder-backup cluster resource. tags: step2 @@ -195,6 +198,9 @@ outputs: resource: openstack-cinder-backup state: delete wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Disable cinder_backup service tags: step2 diff --git a/docker/services/pacemaker/cinder-volume.yaml b/docker/services/pacemaker/cinder-volume.yaml index a4f69517..15c5e099 100644 --- a/docker/services/pacemaker/cinder-volume.yaml +++ b/docker/services/pacemaker/cinder-volume.yaml @@ -206,6 +206,9 @@ outputs: resource: openstack-cinder-volume state: disable wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Delete the stopped openstack-cinder-volume cluster resource. tags: step2 @@ -213,6 +216,9 @@ outputs: resource: openstack-cinder-volume state: delete wait_for_resource: true + register: output + retries: 5 + until: output.rc == 0 when: is_bootstrap_node - name: Disable cinder_volume service from boot tags: step2 diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml index 3de1696d..9dace271 100644 --- a/docker/services/pacemaker/database/mysql.yaml +++ b/docker/services/pacemaker/database/mysql.yaml @@ -159,15 +159,17 @@ outputs: detach: false image: {get_param: DockerMysqlImage} net: host + user: root # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done command: - 'bash' - - '-ec' + - '-ecx' - list_join: - "\n" - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi' - - 'kolla_start' + - 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf' + - 'sudo -u mysql -E kolla_start' - 'mysqld_safe --skip-networking --wsrep-on=OFF &' - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done''' - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"' @@ -266,20 +268,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: galera + state: master + check_mode: true + ignore_errors: true + register: galera_res - name: Disable the galera cluster resource tags: step2 pacemaker_resource: resource: galera state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and galera_res|succeeded - name: Delete the stopped galera cluster resource. tags: step2 pacemaker_resource: resource: galera state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and galera_res|succeeded - name: Disable mysql service tags: step2 service: name=mariadb enabled=no diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml index 0b8aa046..4d26a084 100644 --- a/docker/services/pacemaker/database/redis.yaml +++ b/docker/services/pacemaker/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../../containers-common.yaml + RedisBase: type: ../../../../puppet/services/database/redis.yaml properties: @@ -74,6 +84,8 @@ outputs: - 3124 - 6379 - 26379 + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: "" service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS @@ -109,6 +121,13 @@ outputs: - path: /var/log/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: redis_image_tag: @@ -134,32 +153,54 @@ outputs: - /usr/bin:/usr/bin:ro - /var/run/docker.sock:/var/run/docker.sock:rw step_2: - redis_init_bundle: - start_order: 2 - detach: false - net: host - user: root - config_volume: 'redis_init_bundle' - command: - - '/bin/bash' - - '-c' - - str_replace: - template: - list_join: - - '; ' - - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" - - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" - params: - TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' - CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle' - image: *redis_config_image - volumes: - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /etc/puppet:/tmp/puppet-etc:ro - - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro - - /dev/shm:/dev/shm:rw + map_merge: + - redis_init_bundle: + start_order: 2 + detach: false + net: host + user: root + config_volume: 'redis_init_bundle' + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle' + image: *redis_config_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 3 + image: *redis_image_pcmklatest + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create /var/run/redis file: @@ -181,20 +222,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [RedisBase, role_data, service_name]} + state: master + check_mode: true + ignore_errors: true + register: redis_res - name: Disable the redis cluster resource tags: step2 pacemaker_resource: resource: {get_attr: [RedisBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and redis_res|succeeded - name: Delete the stopped redis cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RedisBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and redis_res|succeeded - name: Disable redis service tags: step2 service: name=redis enabled=no diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 2e5c7424..2cc04e96 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -78,8 +78,7 @@ outputs: config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] - - tripleo::haproxy::haproxy_daemon: false - haproxy_docker: true + - haproxy_docker: true tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage} # the list of directories that contain the certs to bind mount in the countainer # bind-mounting the directories rather than all the cert, key and pem files ensures @@ -88,6 +87,7 @@ outputs: - get_param: InternalTLSCAFile - get_param: HAProxyInternalTLSKeysDirectory - get_param: HAProxyInternalTLSCertsDirectory + - get_param: DeployedSSLCertificatePath tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory} tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory} # disable the use CRL file until we can restart the container when the file expires @@ -119,7 +119,7 @@ outputs: data: *tls_mapping kolla_config: /var/lib/kolla/config_files/haproxy.json: - command: haproxy -f /etc/haproxy/haproxy.cfg + command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" @@ -223,17 +223,31 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [HAProxyBase, role_data, service_name]} + state: started + check_mode: true + ignore_errors: true + register: haproxy_res - name: Disable the haproxy cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [HAProxyBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and haproxy_res|succeeded - name: Delete the stopped haproxy cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [HAProxyBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and haproxy_res|succeeded diff --git a/docker/services/pacemaker/ovn-dbs.yaml b/docker/services/pacemaker/ovn-dbs.yaml new file mode 100644 index 00000000..03c5a397 --- /dev/null +++ b/docker/services/pacemaker/ovn-dbs.yaml @@ -0,0 +1,140 @@ +heat_template_version: pike + +description: > + OpenStack containerized OVN DBs service managed by pacemaker + +parameters: + DockerOvnDbsImage: + description: image + type: string + DockerOvnDbsConfigImage: + description: image + type: string + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + OVNNorthboundServerPort: + description: Port of the OVN Northbound DB server + type: number + default: 6641 + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 + +resources: + + ContainersCommon: + type: ./../containers-common.yaml + + OVNDbsBase: + type: ../../../puppet/services/pacemaker/ovn-dbs.yaml + properties: + EndpointMap: {get_param: EndpointMap} + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + OVNNorthboundServerPort: {get_param: OVNNorthboundServerPort} + OVNSouthboundServerPort: {get_param: OVNSouthboundServerPort} + +outputs: + role_data: + description: Role data for the OVN Dbs HA role. + value: + service_name: {get_attr: [OVNDbsBase, role_data, service_name]} + config_settings: + map_merge: + - get_attr: [OVNDbsBase, role_data, config_settings] + - tripleo::profile::pacemaker::ovn_dbs_bundle::ovn_dbs_docker_image: {get_param: DockerOvnDbsImage} + - tripleo::profile::pacemaker::ovn_dbs_bundle::nb_db_port: {get_param: OVNNorthboundServerPort} + - tripleo::profile::pacemaker::ovn_dbs_bundle::sb_db_port: {get_param: OVNSouthboundServerPort} + step_config: '' + service_config_settings: {get_attr: [OVNDbsBase, role_data, service_config_settings]} + # BEGIN DOCKER SETTINGS + puppet_config: + config_volume: 'ovn_dbs' + puppet_tags: 'exec' + step_config: '' + config_image: &ovn_dbs_config_image {get_param: DockerOvnDbsConfigImage} + kolla_config: + /var/lib/kolla/config_files/ovn_dbs.json: + command: /usr/sbin/pacemaker_remoted + config_files: + - dest: /etc/libqb/force-filesystem-sockets + source: /dev/null + owner: root + perm: '0644' + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + optional: true + docker_config: + step_3: + ovn_dbs_init_bundle: + start_order: 1 + detach: false + net: host + user: root + config_volume: 'ovn_dbs_init_bundle' + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 3}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'" + params: + TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + CONFIG: + list_join: + - ';' + - - 'include ::tripleo::profile::base::pacemaker' + - 'include ::tripleo::profile::pacemaker::ovn_dbs_bundle' + image: *ovn_dbs_config_image + volumes: + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw + host_prep_tasks: + - name: create persistent directories + file: + path: "{{ item }}" + state: directory + with_items: + - /var/log/containers/openvswitch + - /var/lib/openvswitch/ovn + upgrade_tasks: + - name: Stop and disable ovn-northd service + tags: step2 + service: name=ovn-northd state=stopped enabled=no diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml index ba1abaf9..7333689c 100644 --- a/docker/services/pacemaker/rabbitmq.yaml +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -215,20 +215,34 @@ outputs: - name: set is_bootstrap_node fact tags: common set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}} + - name: Check cluster resource status + tags: step2 + pacemaker_resource: + resource: {get_attr: [RabbitmqBase, role_data, service_name]} + state: started + check_mode: true + ignore_errors: true + register: rabbitmq_res - name: Disable the rabbitmq cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RabbitmqBase, role_data, service_name]} state: disable wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and rabbitmq_res|succeeded - name: Delete the stopped rabbitmq cluster resource. tags: step2 pacemaker_resource: resource: {get_attr: [RabbitmqBase, role_data, service_name]} state: delete wait_for_resource: true - when: is_bootstrap_node + register: output + retries: 5 + until: output.rc == 0 + when: is_bootstrap_node and rabbitmq_res|succeeded - name: Disable rabbitmq service tags: step2 service: name=rabbitmq-server enabled=no diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml index 626d9176..3edd9049 100644 --- a/docker/services/panko-api.yaml +++ b/docker/services/panko-api.yaml @@ -104,7 +104,8 @@ outputs: user: root volumes: - /var/log/containers/panko:/var/log/panko - command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R panko:panko /var/log/panko'] + - /var/log/containers/httpd/panko-api:/var/log/httpd + command: ['/bin/bash', '-c', 'chown -R panko:panko /var/log/panko'] step_3: panko_db_sync: image: *panko_api_image @@ -119,6 +120,7 @@ outputs: - /var/lib/config-data/panko/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/panko/etc/panko:/etc/panko:ro - /var/log/containers/panko:/var/log/panko + - /var/log/containers/httpd/panko-api:/var/log/httpd command: "/usr/bin/bootstrap_host_exec panko_api su panko -s /bin/bash -c '/usr/bin/panko-dbsync'" step_4: panko_api: @@ -134,6 +136,7 @@ outputs: - /var/lib/kolla/config_files/panko_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/panko/:/var/lib/kolla/config_files/src:ro - /var/log/containers/panko:/var/log/panko + - /var/log/containers/httpd/panko-api:/var/log/httpd - if: - internal_tls_enabled @@ -149,7 +152,10 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/panko + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/panko + - /var/log/containers/httpd/panko-api metadata_settings: get_attr: [PankoApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 374db250..86871210 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -111,6 +111,7 @@ outputs: - /srv/node:/srv/node - /dev:/dev - /var/log/containers/swift:/var/log/swift + - /var/log/containers/httpd/swift-proxy:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -138,6 +139,7 @@ outputs: state: directory with_items: - /var/log/containers/swift + - /var/log/containers/httpd/swift-proxy - /srv/node upgrade_tasks: - name: Stop and disable swift_proxy service diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index e4e2c7d2..2a44f703 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -7,6 +7,10 @@ parameters: DockerSwiftConfigImage: description: The container image to use for the swift config_volume type: string + DockerSwiftRingbuilderConfigImage: + description: Fake parameter to bypass config_volume yaml validation + type: string + default: '' ServiceData: default: {} description: Dictionary packing service data @@ -92,9 +96,22 @@ outputs: service_config_settings: {get_attr: [SwiftRingbuilderBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: - config_volume: 'swift' + config_volume: 'swift_ringbuilder' puppet_tags: exec,fetch_swift_ring_tarball,extract_swift_ring_tarball,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance,create_swift_ring_tarball,upload_swift_ring_tarball step_config: *step_config - config_image: {get_param: DockerSwiftConfigImage} + config_image: &swift_ringbuilder_image {get_param: DockerSwiftConfigImage} kolla_config: {} - docker_config: {} + docker_config: + step_3: + swift_copy_rings: + image: *swift_ringbuilder_image + user: root + detach: false + command: + # Use bash to run the cp command so that wildcards can be used + - '/bin/bash' + - '-c' + - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups' + volumes: + - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw + - /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml index b6fb4001..ab30ab5a 100644 --- a/docker/services/zaqar.yaml +++ b/docker/services/zaqar.yaml @@ -116,6 +116,7 @@ outputs: user: root volumes: - /var/log/containers/zaqar:/var/log/zaqar + - /var/log/containers/httpd/zaqar:/var/log/httpd command: ['/bin/bash', '-c', 'chown -R zaqar:zaqar /var/log/zaqar'] step_3: zaqar_db_sync: @@ -130,7 +131,8 @@ outputs: - - /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro - /var/log/containers/zaqar:/var/log/zaqar - command: "/usr/bin/bootstrap_host_exec zaqar su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'" + - /var/log/containers/httpd/zaqar:/var/log/httpd + command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'" - {} - step_4: zaqar: @@ -148,6 +150,7 @@ outputs: - /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro - /var/log/containers/zaqar:/var/log/zaqar + - /var/log/containers/httpd/zaqar:/var/log/httpd - if: - internal_tls_enabled @@ -172,13 +175,17 @@ outputs: - /var/lib/kolla/config_files/zaqar_websocket.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/zaqar/:/var/lib/kolla/config_files/src:ro - /var/log/containers/zaqar:/var/log/zaqar + - /var/log/containers/httpd/zaqar:/var/log/httpd environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: /var/log/containers/zaqar + path: "{{ item }}" state: directory + with_items: + - /var/log/containers/zaqar + - /var/log/containers/httpd/zaqar upgrade_tasks: - name: Stop and disable zaqar service tags: step2 |