aboutsummaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
Diffstat (limited to 'docker')
-rwxr-xr-xdocker/docker-puppet.py3
-rw-r--r--docker/services/ceph-ansible/ceph-base.yaml32
-rw-r--r--docker/services/ceph-ansible/ceph-rgw.yaml87
-rw-r--r--docker/services/cinder-api.yaml2
-rw-r--r--docker/services/database/mongodb.yaml4
-rw-r--r--docker/services/database/redis.yaml87
-rw-r--r--docker/services/heat-api.yaml2
-rw-r--r--docker/services/iscsid.yaml4
-rw-r--r--docker/services/keystone.yaml2
-rw-r--r--docker/services/nova-api.yaml2
-rw-r--r--docker/services/nova-compute.yaml11
-rw-r--r--docker/services/nova-conductor.yaml12
-rw-r--r--docker/services/opendaylight-api.yaml15
-rw-r--r--docker/services/pacemaker/database/mysql.yaml4
-rw-r--r--docker/services/pacemaker/haproxy.yaml1
-rw-r--r--docker/services/swift-ringbuilder.yaml23
-rw-r--r--docker/services/zaqar.yaml3
17 files changed, 257 insertions, 37 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 4659cf53..0451ed51 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -257,7 +257,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
'--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
'--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
- '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw',
+ '--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
'--volume', 'tripleo_logs:/var/log/tripleo/',
# Syslog socket for puppet logs
'--volume', '/dev/log:/dev/log',
@@ -366,6 +366,7 @@ for infile in infiles:
outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile))
with open(outfile, 'w') as out_f:
+ os.chmod(out_f.name, 0600)
json.dump(infile_data, out_f)
if not success:
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index bf2c86c4..18d3e6a3 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -100,6 +100,14 @@ parameters:
CephClientUserName:
default: openstack
type: string
+ CephRgwClientName:
+ default: radosgw
+ type: string
+ CephRgwKey:
+ description: The cephx key for the radosgw client. Can be created
+ with ceph-authtool --gen-print-key.
+ type: string
+ hidden: true
CephPoolDefaultSize:
description: default minimum replication for RBD copies
type: number
@@ -115,10 +123,13 @@ parameters:
CephIPv6:
default: False
type: boolean
+ SwiftPassword:
+ description: The password for the swift service account
+ type: string
+ hidden: true
DockerCephDaemonImage:
description: image
type: string
- default: 'ceph/daemon:tag-build-master-jewel-centos-7'
conditions:
custom_registry_host:
@@ -241,16 +252,33 @@ outputs:
- - client
- {get_param: ManilaCephFSNativeCephFSAuthId}
key: {get_param: CephManilaClientKey}
- mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create"
+ mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
mds_cap: "allow *"
osd_cap: "allow rw"
mode: "0644"
+ - name:
+ list_join:
+ - '.'
+ - - client
+ - {get_param: CephRgwClientName}
+ key: {get_param: CephRgwKey}
+ mon_cap: "allow rw"
+ osd_cap: "allow rwx"
+ mode: "0644"
keys: *openstack_keys
pools: []
ceph_conf_overrides:
global:
osd_pool_default_size: {get_param: CephPoolDefaultSize}
osd_pool_default_pg_num: {get_param: CephPoolDefaultPgNum}
+ rgw_keystone_api_version: 3
+ rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
+ rgw_keystone_accepted_roles: 'Member, _member_, admin'
+ rgw_keystone_admin_domain: default
+ rgw_keystone_admin_project: service
+ rgw_keystone_admin_user: swift
+ rgw_keystone_admin_password: {get_param: SwiftPassword}
+ rgw_s3_auth_use_keystone: 'true'
ntp_service_enabled: false
generate_fsid: false
ip_version:
diff --git a/docker/services/ceph-ansible/ceph-rgw.yaml b/docker/services/ceph-ansible/ceph-rgw.yaml
new file mode 100644
index 00000000..4bed9b46
--- /dev/null
+++ b/docker/services/ceph-ansible/ceph-rgw.yaml
@@ -0,0 +1,87 @@
+heat_template_version: pike
+
+description: >
+ Ceph RadosGW service.
+
+parameters:
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ SwiftPassword:
+ description: The password for the swift service account
+ type: string
+ hidden: true
+ KeystoneRegion:
+ type: string
+ default: 'regionOne'
+ description: Keystone region for endpoint
+
+resources:
+ CephBase:
+ type: ./ceph-base.yaml
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Ceph RadosGW service.
+ value:
+ service_name: ceph_rgw
+ upgrade_tasks: []
+ step_config: ''
+ puppet_config:
+ config_image: ''
+ config_volume: ''
+ step_config: ''
+ docker_config: {}
+ service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]}
+ config_settings:
+ map_merge:
+ - tripleo.ceph_rgw.firewall_rules:
+ '122 ceph rgw':
+ dport: {get_param: [EndpointMap, CephRgwInternal, port]}
+ - ceph_rgw_ansible_vars:
+ map_merge:
+ - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]}
+ - radosgw_keystone: true
+ radosgw_keystone_ssl: false
+ radosgw_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]}
+ radosgw_civetweb_port: {get_param: [EndpointMap, CephRgwInternal, port]}
+ service_config_settings:
+ keystone:
+ ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
+ ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]}
+ ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]}
+ ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion}
+ ceph::rgw::keystone::auth::roles: [ 'admin', 'Member', '_member_' ]
+ ceph::rgw::keystone::auth::tenant: service
+ ceph::rgw::keystone::auth::user: swift
+ ceph::rgw::keystone::auth::password: {get_param: SwiftPassword}
diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml
index 519b2328..93d09ca0 100644
--- a/docker/services/cinder-api.yaml
+++ b/docker/services/cinder-api.yaml
@@ -163,6 +163,8 @@ outputs:
user: root
privileged: false
restart: always
+ healthcheck:
+ test: /bin/true
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml
index 9b5c5b8f..d6bba20b 100644
--- a/docker/services/database/mongodb.yaml
+++ b/docker/services/database/mongodb.yaml
@@ -157,6 +157,10 @@ outputs:
metadata_settings:
get_attr: [MongodbPuppetBase, role_data, metadata_settings]
upgrade_tasks:
+ - name: Check for mongodb service
+ stat: path=/usr/lib/systemd/system/mongod.service
+ register: mongod_service
- name: Stop and disable mongodb service
tags: step2
service: name=mongod state=stopped enabled=no
+ when: mongod_service.stat.exists
diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml
index 980a8c6d..487b4c67 100644
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@@ -36,9 +36,19 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
+ ContainersCommon:
+ type: ../containers-common.yaml
+
RedisBase:
type: ../../../puppet/services/database/redis.yaml
properties:
@@ -56,6 +66,8 @@ outputs:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
- redis::daemonize: false
+ tripleo::stunnel::manage_service: false
+ tripleo::stunnel::foreground: 'yes'
step_config: &step_config
get_attr: [RedisBase, role_data, step_config]
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
@@ -80,31 +92,60 @@ outputs:
- path: /var/run/redis
owner: redis:redis
recurse: true
+ /var/lib/kolla/config_files/redis_tls_proxy.json:
+ command: stunnel /etc/stunnel/stunnel.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
docker_config:
step_1:
- redis_init_logs:
- start_order: 0
- detach: false
- image: &redis_image {get_param: DockerRedisImage}
- privileged: false
- user: root
- volumes:
- - /var/log/containers/redis:/var/log/redis
- command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
- redis:
- start_order: 1
- image: *redis_image
- net: host
- privileged: false
- restart: always
- volumes:
- - /run:/run
- - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /var/log/containers/redis:/var/log/redis
- environment:
- - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ map_merge:
+ - redis_init_logs:
+ start_order: 0
+ detach: false
+ image: &redis_image {get_param: DockerRedisImage}
+ privileged: false
+ user: root
+ volumes:
+ - /var/log/containers/redis:/var/log/redis
+ command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
+ - redis:
+ start_order: 1
+ image: *redis_image
+ net: host
+ privileged: false
+ restart: always
+ volumes:
+ - /run:/run
+ - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /var/log/containers/redis:/var/log/redis
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - if:
+ - internal_tls_enabled
+ - redis_tls_proxy:
+ start_order: 2
+ image: *redis_image
+ net: host
+ user: root
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro
+ - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - {}
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml
index 54c7bedd..6c1621f1 100644
--- a/docker/services/heat-api.yaml
+++ b/docker/services/heat-api.yaml
@@ -136,6 +136,8 @@ outputs:
user: root
privileged: false
restart: always
+ healthcheck:
+ test: /bin/true
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
diff --git a/docker/services/iscsid.yaml b/docker/services/iscsid.yaml
index 80519800..c34a59d5 100644
--- a/docker/services/iscsid.yaml
+++ b/docker/services/iscsid.yaml
@@ -109,7 +109,7 @@ outputs:
- name: Stop and disable iscsid service
tags: step2
service: name=iscsid state=stopped enabled=no
- when: stat_iscsid_service.stat.exists
+ when: (stat_iscsid_service.stat|default('')).exists|default(false)
- name: stat /lib/systemd/system/iscsid.socket
tags: step2
stat: path=/lib/systemd/system/iscsid.socket
@@ -117,4 +117,4 @@ outputs:
- name: Stop and disable iscsid.socket service
tags: step2
service: name=iscsid.socket state=stopped enabled=no
- when: stat_iscsid_socket.stat.exists
+ when: (stat_iscsid_socket.stat|default('')).exists|default(false)
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 4c2c1d16..97b4c5d5 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -175,6 +175,8 @@ outputs:
privileged: false
restart: always
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
+ healthcheck:
+ test: /bin/true
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 37c4da5b..7142b70e 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -196,6 +196,8 @@ outputs:
user: root
privileged: false
restart: always
+ healthcheck:
+ test: /bin/true
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml
index 39d1740c..bf7841be 100644
--- a/docker/services/nova-compute.yaml
+++ b/docker/services/nova-compute.yaml
@@ -41,6 +41,10 @@ parameters:
description: Port that dockerized nova migration target sshd service
binds to.
type: number
+ UpgradeLevelNovaCompute:
+ type: string
+ description: Nova Compute upgrade level
+ default: ''
resources:
@@ -142,6 +146,13 @@ outputs:
path: /etc/ceph
state: directory
upgrade_tasks:
+ - name: Set compute upgrade level to auto
+ tags: step1
+ ini_file:
+ str_replace:
+ template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL"
+ params:
+ LEVEL: {get_param: UpgradeLevelNovaCompute}
- name: Stop and disable nova-compute service
tags: step2
service: name=openstack-nova-compute state=stopped enabled=no
diff --git a/docker/services/nova-conductor.yaml b/docker/services/nova-conductor.yaml
index ae737056..17d137cc 100644
--- a/docker/services/nova-conductor.yaml
+++ b/docker/services/nova-conductor.yaml
@@ -36,7 +36,10 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
-
+ UpgradeLevelNovaCompute:
+ type: string
+ description: Nova Compute upgrade level
+ default: ''
resources:
@@ -108,6 +111,13 @@ outputs:
path: /var/log/containers/nova
state: directory
upgrade_tasks:
+ - name: Set compute upgrade level to auto
+ tags: step1
+ ini_file:
+ str_replace:
+ template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL"
+ params:
+ LEVEL: {get_param: UpgradeLevelNovaCompute}
- name: Stop and disable nova_conductor service
tags: step2
service: name=openstack-nova-conductor state=stopped enabled=no
diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml
index 6a62f65e..2a6fcfe8 100644
--- a/docker/services/opendaylight-api.yaml
+++ b/docker/services/opendaylight-api.yaml
@@ -97,10 +97,21 @@ outputs:
-
- /var/lib/kolla/config_files/opendaylight_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
+ - /var/log/containers/opendaylight:/opt/opendaylight/data/log
+ - /var/lib/opendaylight/journal:/opt/opendaylight/journal
+ - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
-
+ host_prep_tasks:
+ - name: create persistent directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ with_items:
+ - /var/log/containers/opendaylight
+ - /var/lib/opendaylight/snapshots
+ - /var/lib/opendaylight/journal
upgrade_tasks:
- name: Stop and disable opendaylight_api service
tags: step2
- service: name=opendaylight state=stopped enabled=no
+ service: name=opendaylight state=stopped enabled=no \ No newline at end of file
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index 3de1696d..f57f779e 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -162,13 +162,13 @@ outputs:
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
- 'bash'
- - '-ec'
+ - '-ecx'
-
list_join:
- "\n"
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
- 'kolla_start'
- - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+ - 'mysqld_safe --skip-networking --wsrep-on=OFF --wsrep-provider=none &'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"'
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"'
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 2e5c7424..3cdc5255 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -88,6 +88,7 @@ outputs:
- get_param: InternalTLSCAFile
- get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
+ - get_param: DeployedSSLCertificatePath
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
# disable the use CRL file until we can restart the container when the file expires
diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml
index e4e2c7d2..2a44f703 100644
--- a/docker/services/swift-ringbuilder.yaml
+++ b/docker/services/swift-ringbuilder.yaml
@@ -7,6 +7,10 @@ parameters:
DockerSwiftConfigImage:
description: The container image to use for the swift config_volume
type: string
+ DockerSwiftRingbuilderConfigImage:
+ description: Fake parameter to bypass config_volume yaml validation
+ type: string
+ default: ''
ServiceData:
default: {}
description: Dictionary packing service data
@@ -92,9 +96,22 @@ outputs:
service_config_settings: {get_attr: [SwiftRingbuilderBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
- config_volume: 'swift'
+ config_volume: 'swift_ringbuilder'
puppet_tags: exec,fetch_swift_ring_tarball,extract_swift_ring_tarball,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance,create_swift_ring_tarball,upload_swift_ring_tarball
step_config: *step_config
- config_image: {get_param: DockerSwiftConfigImage}
+ config_image: &swift_ringbuilder_image {get_param: DockerSwiftConfigImage}
kolla_config: {}
- docker_config: {}
+ docker_config:
+ step_3:
+ swift_copy_rings:
+ image: *swift_ringbuilder_image
+ user: root
+ detach: false
+ command:
+ # Use bash to run the cp command so that wildcards can be used
+ - '/bin/bash'
+ - '-c'
+ - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
+ volumes:
+ - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw
+ - /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro
diff --git a/docker/services/zaqar.yaml b/docker/services/zaqar.yaml
index b6fb4001..34f2e439 100644
--- a/docker/services/zaqar.yaml
+++ b/docker/services/zaqar.yaml
@@ -130,7 +130,8 @@ outputs:
-
- /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
- /var/log/containers/zaqar:/var/log/zaqar
- command: "/usr/bin/bootstrap_host_exec zaqar su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'"
+ - /var/log/containers/httpd/zaqar:/var/log/httpd
+ command: "/usr/bin/bootstrap_host_exec zaqar_api su zaqar -s /bin/bash -c 'zaqar-sql-db-manage upgrade head'"
- {}
- step_4:
zaqar: