aboutsummaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
Diffstat (limited to 'docker')
-rwxr-xr-xdocker/firstboot/setup_docker_host.sh3
-rw-r--r--docker/services/aodh-api.yaml1
-rw-r--r--docker/services/ceph-ansible/ceph-base.yaml69
-rw-r--r--docker/services/ceph-ansible/ceph-mds.yaml83
-rw-r--r--docker/services/database/mongodb.yaml54
-rw-r--r--docker/services/database/mysql.yaml69
-rw-r--r--docker/services/glance-api.yaml11
-rw-r--r--docker/services/gnocchi-api.yaml1
-rw-r--r--docker/services/haproxy.yaml65
-rw-r--r--docker/services/heat-engine.yaml1
-rw-r--r--docker/services/neutron-api.yaml1
-rw-r--r--docker/services/nova-api.yaml27
-rw-r--r--docker/services/nova-libvirt.yaml53
-rw-r--r--docker/services/nova-placement.yaml17
-rw-r--r--docker/services/pacemaker/database/mysql.yaml41
-rw-r--r--docker/services/pacemaker/haproxy.yaml57
-rw-r--r--docker/services/pacemaker/rabbitmq.yaml15
-rw-r--r--docker/services/panko-api.yaml1
18 files changed, 493 insertions, 76 deletions
diff --git a/docker/firstboot/setup_docker_host.sh b/docker/firstboot/setup_docker_host.sh
index 8b4c6a03..af213bbd 100755
--- a/docker/firstboot/setup_docker_host.sh
+++ b/docker/firstboot/setup_docker_host.sh
@@ -6,3 +6,6 @@ set -eux
# Disable libvirtd since it conflicts with nova_libvirt container
/usr/bin/systemctl disable libvirtd.service
/usr/bin/systemctl stop libvirtd.service
+# Disable virtlogd since it conflicts with nova_virtlogd container
+/usr/bin/systemctl disable virtlogd.service
+/usr/bin/systemctl stop virtlogd.service
diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml
index 8afb6d28..da4b981c 100644
--- a/docker/services/aodh-api.yaml
+++ b/docker/services/aodh-api.yaml
@@ -114,6 +114,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/aodh/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/aodh/etc/aodh/:/etc/aodh/:ro
- /var/log/containers/aodh:/var/log/aodh
command: "/usr/bin/bootstrap_host_exec aodh_api su aodh -s /bin/bash -c /usr/bin/aodh-dbsync"
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index 85fe0608..e65c503b 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -88,6 +88,14 @@ parameters:
description: default minimum replication for RBD copies
type: number
default: 3
+ ManilaCephFSNativeCephFSAuthId:
+ default: manila
+ type: string
+ CephManilaClientKey:
+ default: ''
+ description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
+ type: string
+ hidden: true
CephIPv6:
default: False
type: boolean
@@ -102,6 +110,33 @@ conditions:
data: {get_param: DockerCephDaemonImage}
expression: $.data.split('/')[0].matches('(\.|:)')
+resources:
+ DockerImageUrlParts:
+ type: OS::Heat::Value
+ properties:
+ type: json
+ value:
+ host:
+ if:
+ - custom_registry_host
+ - yaql:
+ expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*)/').split($location)[1]
+ data: {get_param: DockerCephDaemonImage}
+ - docker.io
+ image:
+ if:
+ - custom_registry_host
+ - yaql:
+ expression: let(location => $.data.rightSplit(':', 1)[0]) -> regex('(?:https?://)?(.*)/').split($location)[2]
+ data: {get_param: DockerCephDaemonImage}
+ - yaql:
+ expression: $.data.rightSplit(':', 1)[0]
+ data: {get_param: DockerCephDaemonImage}
+ image_tag:
+ yaql:
+ expression: $.data.rightSplit(':', 1)[1]
+ data: {get_param: DockerCephDaemonImage}
+
outputs:
role_data:
description: Role data for the Ceph base service.
@@ -125,21 +160,9 @@ outputs:
ceph_common_ansible_vars:
fsid: { get_param: CephClusterFSID }
docker: true
- ceph_docker_registry:
- if:
- - custom_registry_host
- - yaql:
- expression: regex('(?:https?://)?(.*)/').split($.data)[1]
- data: {str_split: [':', {get_param: DockerCephDaemonImage}, 0]}
- - docker.io
- ceph_docker_image:
- if:
- - custom_registry_host
- - yaql:
- expression: regex('(?:https?://)?(.*)/').split($.data)[2]
- data: {str_split: [':', {get_param: DockerCephDaemonImage}, 0]}
- - {str_split: [':', {get_param: DockerCephDaemonImage}, 0]}
- ceph_docker_image_tag: {str_split: [':', {get_param: DockerCephDaemonImage}, 1]}
+ ceph_docker_registry: {get_attr: [DockerImageUrlParts, value, host]}
+ ceph_docker_image: {get_attr: [DockerImageUrlParts, value, image]}
+ ceph_docker_image_tag: {get_attr: [DockerImageUrlParts, value, image_tag]}
containerized_deployment: true
public_network: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]}
monitor_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]}
@@ -186,11 +209,17 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
- acls:
- - "u:glance:r--"
- - "u:nova:r--"
- - "u:cinder:r--"
- - "u:gnocchi:r--"
+ mode: "0644"
+ - name:
+ list_join:
+ - '.'
+ - - client
+ - {get_param: ManilaCephFSNativeCephFSAuthId}
+ key: {get_param: CephManilaClientKey}
+ mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create"
+ mds_cap: "allow *"
+ osd_cap: "allow rw"
+ mode: "0644"
keys: *openstack_keys
pools: []
ceph_conf_overrides:
diff --git a/docker/services/ceph-ansible/ceph-mds.yaml b/docker/services/ceph-ansible/ceph-mds.yaml
new file mode 100644
index 00000000..4ef3a669
--- /dev/null
+++ b/docker/services/ceph-ansible/ceph-mds.yaml
@@ -0,0 +1,83 @@
+heat_template_version: pike
+
+description: >
+ Ceph Metadata service.
+
+parameters:
+ ServiceData:
+ default: {}
+ description: Dictionary packing service data
+ type: json
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ DefaultPasswords:
+ default: {}
+ type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+ CephMdsKey:
+ description: The cephx key for the MDS service. Can be created
+ with ceph-authtool --gen-print-key.
+ type: string
+ hidden: true
+ ManilaCephFSDataPoolName:
+ default: manila_data
+ type: string
+ ManilaCephFSMetadataPoolName:
+ default: manila_metadata
+ type: string
+ ManilaCephFSNativeShareBackendName:
+ default: cephfs
+ type: string
+
+resources:
+ CephBase:
+ type: ./ceph-base.yaml
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
+
+outputs:
+ role_data:
+ description: Role data for the Ceph Metadata service.
+ value:
+ service_name: ceph_mds
+ upgrade_tasks: []
+ step_config: ''
+ puppet_config:
+ config_image: ''
+ config_volume: ''
+ step_config: ''
+ docker_config: {}
+ service_workflow_tasks: {get_attr: [CephBase, role_data, service_workflow_tasks]}
+ config_settings:
+ map_merge:
+ - tripleo.ceph_mds.firewall_rules:
+ '112 ceph_mds':
+ dport:
+ - '6800-7300'
+ - ceph_mds_ansible_vars:
+ map_merge:
+ - {get_attr: [CephBase, role_data, config_settings, ceph_common_ansible_vars]}
+ - cephfs_data: {get_param: ManilaCephFSDataPoolName}
+ cephfs_metadata: {get_param: ManilaCephFSMetadataPoolName}
+ cephfs: {get_param: ManilaCephFSNativeShareBackendName}
diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml
index 5ba79b31..9b5c5b8f 100644
--- a/docker/services/database/mongodb.yaml
+++ b/docker/services/database/mongodb.yaml
@@ -36,6 +36,18 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -77,6 +89,10 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
permissions:
- path: /var/lib/mongodb
owner: mongodb:mongodb
@@ -84,6 +100,8 @@ outputs:
- path: /var/log/mongodb
owner: mongodb:mongodb
recurse: true
+ - path: /etc/pki/tls/certs/mongodb.pem
+ owner: mongodb:mongodb
docker_config:
step_2:
mongodb:
@@ -91,11 +109,21 @@ outputs:
net: host
privileged: false
volumes: &mongodb_volumes
- - /var/lib/kolla/config_files/mongodb.json:/var/lib/kolla/config_files/config.json
- - /var/lib/config-data/puppet-generated/mongodb/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /var/log/containers/mongodb:/var/log/mongodb
- - /var/lib/mongodb:/var/lib/mongodb
+ list_concat:
+ - - /var/lib/kolla/config_files/mongodb.json:/var/lib/kolla/config_files/config.json
+ - /var/lib/config-data/puppet-generated/mongodb/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /var/log/containers/mongodb:/var/log/mongodb
+ - /var/lib/mongodb:/var/lib/mongodb
+ - if:
+ - internal_tls_enabled
+ - - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mongodb.pem:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mongodb.pem:ro
+ - null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
docker_puppet_tasks:
@@ -106,8 +134,18 @@ outputs:
step_config: 'include ::tripleo::profile::base::database::mongodb'
config_image: *mongodb_config_image
volumes:
- - /var/lib/mongodb:/var/lib/mongodb
- - /var/log/containers/mongodb:/var/log/mongodb
+ list_concat:
+ - - /var/lib/mongodb:/var/lib/mongodb
+ - /var/log/containers/mongodb:/var/log/mongodb
+ - if:
+ - internal_tls_enabled
+ - - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mongodb.pem:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mongodb.pem:ro
+ - null
host_prep_tasks:
- name: create persistent directories
file:
@@ -116,6 +154,8 @@ outputs:
with_items:
- /var/log/containers/mongodb
- /var/lib/mongodb
+ metadata_settings:
+ get_attr: [MongodbPuppetBase, role_data, metadata_settings]
upgrade_tasks:
- name: Stop and disable mongodb service
tags: step2
diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml
index 54331415..402dc351 100644
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@@ -40,6 +40,18 @@ parameters:
type: string
hidden: true
default: ''
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -86,10 +98,21 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
+ - path: /etc/pki/tls/certs/mysql.crt
+ owner: mysql:mysql
+ optional: true
+ - path: /etc/pki/tls/private/mysql.key
+ owner: mysql:mysql
+ optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
@@ -108,12 +131,25 @@ outputs:
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
volumes: &mysql_volumes
- - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /etc/hosts:/etc/hosts:ro
- - /var/lib/mysql:/var/lib/mysql
- - /var/log/containers/mysql:/var/log/mariadb
+ list_concat:
+ -
+ - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
+ - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /etc/hosts:/etc/hosts:ro
+ - /var/lib/mysql:/var/lib/mysql
+ - /var/log/containers/mysql:/var/log/mariadb
+ - if:
+ - internal_tls_enabled
+ -
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+ - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+ - null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- KOLLA_BOOTSTRAP=True
@@ -146,9 +182,24 @@ outputs:
step_config: 'include ::tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
- - /var/lib/mysql:/var/lib/mysql/:ro
- - /var/log/containers/mysql:/var/log/mariadb
- - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+ list_concat:
+ -
+ - /var/lib/mysql:/var/lib/mysql/:ro
+ - /var/log/containers/mysql:/var/log/mariadb
+ - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+ - if:
+ - internal_tls_enabled
+ -
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+ - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+ - null
+ metadata_settings:
+ get_attr: [MysqlPuppetBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml
index 044eb283..df226b15 100644
--- a/docker/services/glance-api.yaml
+++ b/docker/services/glance-api.yaml
@@ -39,10 +39,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ GlanceNfsEnabled:
+ default: false
+ description: >
+ When using GlanceBackend 'file', mount NFS share for image storage.
+ type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+ nfs_backend_enabled: {equals: [{get_param: GlanceNfsEnabled}, true]}
resources:
@@ -128,6 +134,11 @@ outputs:
- /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/glance:/var/log/glance
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
+ -
+ if:
+ - nfs_backend_enabled
+ - /var/lib/glance:/var/lib/glance
+ - ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml
index 7c6b6766..1443da40 100644
--- a/docker/services/gnocchi-api.yaml
+++ b/docker/services/gnocchi-api.yaml
@@ -116,6 +116,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/gnocchi/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro
- /var/log/containers/gnocchi:/var/log/gnocchi
- /etc/ceph:/etc/ceph:ro
diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 2f0584ea..f0e2f71d 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -60,6 +60,18 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -86,6 +98,9 @@ outputs:
- get_attr: [HAProxyBase, role_data, config_settings]
- tripleo::haproxy::haproxy_daemon: false
tripleo::haproxy::haproxy_service_manage: false
+ # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
+ # when this is updated
+ tripleo::haproxy::crl_file: null
step_config: &step_config
get_attr: [HAProxyBase, role_data, step_config]
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@@ -96,12 +111,23 @@ outputs:
step_config:
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
config_image: {get_param: DockerHAProxyConfigImage}
- volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ volumes:
+ list_concat:
+ - - list_join:
+ - ':'
+ - - {get_param: DeployedSSLCertificatePath}
+ - {get_param: DeployedSSLCertificatePath}
+ - 'ro'
+ - if:
+ - internal_tls_enabled
+ - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
+ - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
+ - list_join:
+ - ':'
+ - - {get_param: InternalTLSCAFile}
+ - {get_param: InternalTLSCAFile}
+ - 'ro'
+ - null
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -110,6 +136,16 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
+ optional: true
+ permissions:
+ - path: /etc/pki/tls/certs/haproxy
+ owner: haproxy:haproxy
+ recurse: true
+ optional: true
docker_config:
step_1:
haproxy_firewall:
@@ -133,7 +169,6 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - *deployed_cert_mount
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
@@ -154,10 +189,24 @@ outputs:
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - *deployed_cert_mount
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+ - list_join:
+ - ':'
+ - - {get_param: DeployedSSLCertificatePath}
+ - {get_param: DeployedSSLCertificatePath}
+ - 'ro'
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
+ - ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
diff --git a/docker/services/heat-engine.yaml b/docker/services/heat-engine.yaml
index a20dc131..fdba7d58 100644
--- a/docker/services/heat-engine.yaml
+++ b/docker/services/heat-engine.yaml
@@ -109,6 +109,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/heat/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/heat/etc/heat/:/etc/heat/:ro
- /var/log/containers/heat:/var/log/heat
command: "/usr/bin/bootstrap_host_exec heat_engine su heat -s /bin/bash -c 'heat-manage db_sync'"
diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml
index b4fce226..85a07128 100644
--- a/docker/services/neutron-api.yaml
+++ b/docker/services/neutron-api.yaml
@@ -122,6 +122,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/neutron/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/neutron/etc/neutron:/etc/neutron:ro
- /var/lib/config-data/neutron/usr/share/neutron:/usr/share/neutron:ro
- /var/log/containers/neutron:/var/log/neutron
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index da461049..be2c8a5e 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -36,6 +36,13 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -64,9 +71,6 @@ outputs:
map_merge:
- get_attr: [NovaApiBase, role_data, config_settings]
- apache::default_vhost: false
- nova_wsgi_enabled: false
- nova::api::service_name: '%{::nova::params::api_service_name}'
- nova::wsgi::apache_api::ssl: false
step_config: &step_config
list_join:
- "\n"
@@ -82,7 +86,7 @@ outputs:
config_image: {get_param: DockerNovaConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_api.json:
- command: /usr/bin/nova-api
+ command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
@@ -112,7 +116,7 @@ outputs:
user: root
volumes:
- /var/log/containers/nova:/var/log/nova
- command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova']
+ command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd; chown -R nova:nova /var/log/nova']
step_3:
nova_api_db_sync:
start_order: 0
@@ -124,6 +128,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
command: "/usr/bin/bootstrap_host_exec nova_api su nova -s /bin/bash -c '/usr/bin/nova-manage api_db sync'"
@@ -163,7 +168,7 @@ outputs:
start_order: 2
image: *nova_api_image
net: host
- user: nova
+ user: root
privileged: true
restart: always
volumes:
@@ -173,6 +178,16 @@ outputs:
- /var/lib/kolla/config_files/nova_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/nova:/var/log/nova
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+ - ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
nova_api_cron:
diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 916b057e..7637e6e9 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -12,10 +12,6 @@ parameters:
DockerNovaLibvirtConfigImage:
description: The container image to use for the nova_libvirt config_volume
type: string
- EnablePackageInstall:
- default: 'false'
- description: Set to true to enable package installation at deploy time
- type: boolean
ServiceData:
default: {}
description: Dictionary packing service data
@@ -144,13 +140,45 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
+ /var/lib/kolla/config_files/nova_virtlogd.json:
+ command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
docker_config:
step_3:
+ nova_virtlogd:
+ start_order: 0
+ image: {get_param: DockerNovaLibvirtImage}
+ net: host
+ pid: host
+ privileged: true
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/nova_virtlogd.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
+ - /lib/modules:/lib/modules:ro
+ - /dev:/dev
+ - /run:/run
+ - /sys/fs/cgroup:/sys/fs/cgroup
+ - /var/lib/nova:/var/lib/nova
+ - /var/run/libvirt:/var/run/libvirt
+ - /var/lib/libvirt:/var/lib/libvirt
+ - /etc/libvirt/qemu:/etc/libvirt/qemu:ro
+ - /var/log/libvirt/qemu:/var/log/libvirt/qemu
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
nova_libvirt:
+ start_order: 1
image: {get_param: DockerNovaLibvirtImage}
net: host
pid: host
@@ -169,7 +197,6 @@ outputs:
- /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova
- /etc/libvirt:/etc/libvirt
- # Needed to use host's virtlogd
- /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
@@ -216,22 +243,6 @@ outputs:
file:
path: /etc/ceph
state: directory
- - name: set enable_package_install fact
- set_fact:
- enable_package_install: {get_param: EnablePackageInstall}
- # We use virtlogd on host, so when using Deployed Server
- # feature, we need to ensure libvirt is installed.
- - name: install libvirt-daemon
- package:
- name: libvirt-daemon
- state: present
- when: enable_package_install
- - name: start virtlogd socket
- service:
- name: virtlogd.socket
- state: started
- enabled: yes
- when: enable_package_install
upgrade_tasks:
- name: Stop and disable libvirtd service
tags: step2
diff --git a/docker/services/nova-placement.yaml b/docker/services/nova-placement.yaml
index d784ace3..26d17560 100644
--- a/docker/services/nova-placement.yaml
+++ b/docker/services/nova-placement.yaml
@@ -36,6 +36,13 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -104,6 +111,16 @@ outputs:
- /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_placement/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/nova:/var/log/nova
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+ - ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index 3fb38349..8ba7d723 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -43,6 +43,14 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -59,6 +67,10 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
outputs:
role_data:
description: Containerized service MySQL using composable services.
@@ -79,6 +91,13 @@ outputs:
- 4567
- 4568
- 9200
+ -
+ if:
+ - internal_tls_enabled
+ -
+ tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
+ get_param: InternalTLSCAFile
+ - {}
step_config: ""
# BEGIN DOCKER SETTINGS #
puppet_config:
@@ -103,6 +122,20 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path: /etc/pki/tls/certs/mysql.crt
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
+ - path: /etc/pki/tls/private/mysql.key
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
docker_config:
step_1:
mysql_data_ownership:
@@ -195,6 +228,8 @@ outputs:
file:
path: /var/lib/mysql
state: directory
+ metadata_settings:
+ get_attr: [MysqlPuppetBase, role_data, metadata_settings]
upgrade_tasks:
- name: get bootstrap nodeid
tags: common
@@ -220,3 +255,9 @@ outputs:
- name: Disable mysql service
tags: step2
service: name=mariadb enabled=no
+ - name: Remove clustercheck service from xinetd
+ tags: step2
+ file: state=absent path=/etc/xinetd.d/galera-monitor
+ - name: Restart xinetd service after clustercheck removal
+ tags: step2
+ service: name=xinetd state=restarted
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 24155912..5ba54f85 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -41,6 +41,22 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+ InternalTLSCRLPEMFile:
+ default: '/etc/pki/CA/crl/overcloud-crl.pem'
+ type: string
+ description: Specifies the default CRL PEM file to use for revocation if
+ TLS is used for services in the internal network.
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -65,6 +81,17 @@ outputs:
- tripleo::haproxy::haproxy_daemon: false
haproxy_docker: true
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
+ # the list of directories that contain the certs to bind mount in the countainer
+ # bind-mounting the directories rather than all the cert, key and pem files ensures
+ # that docker won't create directories on the host when then pem files do not exist
+ tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
+ - get_param: InternalTLSCAFile
+ - get_param: HAProxyInternalTLSKeysDirectory
+ - get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
+ tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
+ # disable the use CRL file until we can restart the container when the file expires
+ tripleo::haproxy::crl_file: null
step_config: ""
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
@@ -80,11 +107,9 @@ outputs:
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
config_image: {get_param: DockerHAProxyConfigImage}
volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ yaql:
+ expression: $.data.select($+":"+$+":ro")
+ data: *tls_mapping
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -94,6 +119,28 @@ outputs:
merge: true
preserve_properties: true
optional: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
docker_config:
step_2:
haproxy_init_bundle:
diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml
index de53ceee..d8e50afd 100644
--- a/docker/services/pacemaker/rabbitmq.yaml
+++ b/docker/services/pacemaker/rabbitmq.yaml
@@ -92,6 +92,11 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
permissions:
- path: /var/lib/rabbitmq
owner: rabbitmq:rabbitmq
@@ -99,6 +104,14 @@ outputs:
- path: /var/log/rabbitmq
owner: rabbitmq:rabbitmq
recurse: true
+ - path: /etc/pki/tls/certs/rabbitmq.crt
+ owner: rabbitmq:rabbitmq
+ perm: '0600'
+ optional: true
+ - path: /etc/pki/tls/private/rabbitmq.key
+ owner: rabbitmq:rabbitmq
+ perm: '0600'
+ optional: true
# When using pacemaker we don't launch the container, instead that is done by pacemaker
# itself.
docker_config:
@@ -164,6 +177,8 @@ outputs:
echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf
echo 'export ERL_EPMD_PORT=4370' >> /etc/rabbitmq/rabbitmq-env.conf
for pid in $(pgrep epmd); do if [ "$(lsns -o NS -p $pid)" == "$(lsns -o NS -p 1)" ]; then kill $pid; break; fi; done
+ metadata_settings:
+ get_attr: [RabbitmqBase, role_data, metadata_settings]
upgrade_tasks:
- name: get bootstrap nodeid
tags: common
diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml
index 01c17388..626d9176 100644
--- a/docker/services/panko-api.yaml
+++ b/docker/services/panko-api.yaml
@@ -116,6 +116,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
+ - /var/lib/config-data/panko/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/panko/etc/panko:/etc/panko:ro
- /var/log/containers/panko:/var/log/panko
command: "/usr/bin/bootstrap_host_exec panko_api su panko -s /bin/bash -c '/usr/bin/panko-dbsync'"