path: root/docker/docker-puppet.py
AgeCommit message (Collapse)AuthorFilesLines
2017-11-08Add --detailed-exitcodes when running puppet via ansibleMichele Baldessari1-3/+11
puppet run on never fails, even when it should, since we moved to the ansible way of applying it. The reason is the current following code: - name: Run puppet host configuration for step {{step}} command: >- puppet apply --modulepath=/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --logdest syslog --logdest console --color=false /var/lib/tripleo-config/puppet_step_config.pp The above is missing the --detailed-exitcodes switch and so puppet will never really error out on us and the deployment will keep on running all the steps even though a previous puppet manifest might have failed. This cause extra hard-to-debug failures. Initially the issue was observed on the puppet host runs, but this parameter is missing also from docker-puppet.py, so let's add it there as well as it makes sense to return proper error codes whenever we call puppet. Besides this being a good idea in general, we actually *have* to do it because puppet does not fail correctly without this option due to the following puppet bug: https://tickets.puppetlabs.com/browse/PUP-2754 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ie9df4f520645404560a9635fb66e3af42b966f54 Closes-Bug: #1723163 (cherry picked from commit 11e599d116cfbf7df4dcd0e7670c3405a4224c1a)
2017-10-18Also match config volumes for /var/lib/config-data/puppet-generated/Steven Hardy1-5/+7
Some services only mount this directory, not /var/lib/config-data/$service so handle this case in the docker-puppet code that maps the mounted volumes to the services when adding the config hash to the container environment. Change-Id: I3bdb7609f322458584ac9597ffbfefb057b84646 Closes-Bug: #1720208 (cherry picked from commit 3a932b056914d148fa460b8890fc0e631c817a40)
2017-09-11Add a docker pull retry to docker-puppet.pyDan Prince1-4/+18
Co-Authored-By: Ian Main <imain@redhat.com> Change-Id: Iad6d38690340f4a064a4527c58ed439d91fa5188 Closes-bug: #1715136 (cherry picked from commit d3b3361a76c2e8b188fa8e586d9fb7f3c60bb66f)
2017-09-05Set mode for ansible written filesSteven Hardy1-0/+1
Use a more restrictive mode for these files, as some may contain sensitive data which shouldn't be world readable Closes-Bug: #1714986 Change-Id: Ib1e79b1d4e25d6e329938402b1ca776bdab81bdd (cherry picked from commit 94c7752cfae64d96124a32bc36ccd6ec7b4df4a7)
2017-09-04Stop hardcoding host's config volume pathMartin André1-1/+1
Get the path from the CONFIG_VOLUME_PREFIX environment variable. This is useful for debugging and generate configuration files to a different directory. Change-Id: Ib85e3898804312ebb6677a5fa189fbfc357ce27c (cherry picked from commit 0c62b6cd8d696befb1c0c31bb6e206199ce1edac)
2017-08-29Set docker-puppet --health-cmd = /bin/trueDan Prince1-0/+1
Change-Id: Idf627a348cad8d5287c82cb393367210f1c760cf Closes-bug: #1713185 (cherry picked from commit 20e1f0e8c9a2bbc3734f6eec0ee9ac2d5156f166)
2017-07-28Also log docker-puppet.py puppet output to consoleBogdan Dobrelya1-1/+1
Running puppet apply with --logdest syslog results in all the output being redirected to syslog. You get no error messages. In the case where this fails, the subsequent debug task shows nothing useful as there was no stdout/stderr. Also pass --logdest console to docker-puppet's puppet apply so that we get the output for the debug task. Related-Bug: #1707030 Change-Id: I67df5eee9916237420ca646a16e188f26c828c0e Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-07-23Add support for nova live/cold-migration with containersOliver Walsh1-1/+1
Updates hieradata for changes in https://review.openstack.org/471950. Creates a new service - NovaMigrationTarget. On baremetal this just configures live/cold-migration. On docker is includes a container running a second sshd services on an alternative port. Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd containers. Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427 Implements: blueprint tripleo-cold-migration Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
2017-07-18Merge "Improve logs from ansible, puppet, docker-puppet.py"Jenkins1-14/+28
2017-07-14Improve logs from ansible, puppet, docker-puppet.pyBogdan Dobrelya1-14/+28
* Debug ansible 'puppet apply' stderr joined stdout, split by lines. * Do 'puppet apply' w/o colors, logdest syslog, and given a wanted modulepath instead of the module puppet, that can't support those options. * Bind-mount syslog socket for docker-puppet.py to pass puppet logs to host OS syslog. * Fix logging handlers for multiprocess workers in docker-puppet.py. Related-bug: #1698172 Closes-bug: #1700086 Change-Id: I84112a836e968aa5c3596a6544e0392980529963 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-07-12Add support for running crontabs in containersOliver Walsh1-3/+3
This change enables the puppet cron resource in docker-puppet.py and adds user crontabs to the paths copied from the config containers. Only the nova crontab is configured for now. Other services will require similar changes to run their crontabs. Partial-Bug: 1701254 Change-Id: I2d1d0f0d77908a132472cf4bc475f8bd526af504 Depends-On: Ie16fb4539481a3c192cff8220a97daa4c70467fc
2017-07-10Copy only generated puppet files into the containerMartin André1-4/+6
This solves a problem with bind-mounts when the containers are holding files descriptors open. At the same time this makes the template more robust to puppet changes since new config files will be available in the containers without needing to update the templates. Partial-Bug: #1698323 Change-Id: Ia4ad6d77387e3dc354cd131c2f9756939fb8f736
2017-07-03Adds docker OpenDaylightTim Rozet1-1/+1
Depends-On: I020550ede0ef981582392cf6c48dd5cb5823a074 Depends-On: I610b07a3c2bcf1c3288f76112a08b81c50e06913 Depends-On: I3d378044b3da5309b60967a12df7800520a254dc Depends-On: I9c32b41ef865a09587f3ebfe8b8a896031fbd285 Depends-On: Ib31bf29bc69f5c58e98b99c3e598b19c99efc77f Change-Id: I36c7390ddb4192e55ee56006fd6e9c5f8704445c Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-06-29Force mtime for tar used in container config md5sumsSteven Hardy1-1/+1
The checksum is changing each run because the mtime is different, so force a specific date such that we only compare the directory contents. Change-Id: I5ed2b50176f902d7af12b96e650b67b736d59a4a
2017-06-28Default docker-puppet.py logging to INFODan Prince1-11/+19
If you want debug logging you can set the new DockerPuppetDebug heat parameter to 'True'. Change-Id: Iae7bb67379351ea15d61c331867d7005f07ba98e Closes-bug: 1700570
2017-06-16Make a copy of files touched by puppet in containerMartin André1-0/+7
This should help determine what exactly needs to be bind mounted in the container and should also help limit the size of collected logs in CI, as collecting the entire /etc directory from each container can grow pretty quickly in size and is not that useful. Related-Bug: #1698172 Change-Id: Ie2bded39cdb82a72f0c28f1c552403cd11b5af45
2017-06-14Replace NO_ARCHIVE block with single call to rsyncSteve Baker1-27/+13
Also attempts to move the workaround for bug #1696283 to before the puppet apply call. Closes-Bug: #1696622 Change-Id: I3a195466a5039e7641e843c11e5436440bfc5a01
2017-06-08Write md5sum for service config directoriesSteven Hardy1-0/+53
The configuration generated by docker-puppet may change on update, so checksum the combined files from the config-data directories, to enable detecting those that have changed and restarting the appropriate containers - we need to merge this checksum into the environment passed to the containters, as this will cause paunch to correctly restart containers when the configuration generated changes, even if the rest of the json definition provided by heat does not. Change-Id: I40d9080cf3ad708ef4ed91e46d2b2ae1138bb9c3
2017-06-07Ensure /etc/ssh/ssh_known_hosts exist in docker config-data.Oliver Walsh1-0/+4
Works around the issue encountered in 1696283. Change-Id: I1947d9d1e3cabc5dfe25ee1af994d684425bdbf7 Resolves-Bug: #1696283
2017-05-17Don't delete failed docker-puppet containersSteve Baker1-1/+3
This helps a bit with debugging issues, and the container will be deleted on the next run when the same volume is configured. Change-Id: I4f2f219bd7e40abafd0eb31c1275fdd8ed4db4da
2017-05-10Make docker-puppet.sh a static file.Steve Baker1-21/+22
Variables are now passed in with --env in the docker run call. This will allow docker-puppet.sh to be baked into the image instead of having it as a custom entrypoint. Change-Id: Icbaefe033becc6b2226535f28ee202917bdc1074
2017-05-02Improve logging for docker-puppet.pyBogdan Dobrelya1-36/+50
Log prepared docker command Use logger stdout instead of print command Log stderr as debug as well Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-13Merge "Do not log errors on non-existing container"Jenkins1-1/+4
2017-04-12docker/all: Bind-mount OpenSSL CA bundleJuan Antonio Osorio Robles1-0/+6
The containers also need to trust the CA's that the overcloud node trusts, else we'll get SSL verification failures. bp tls-via-certmonger-containers Change-Id: I7d3412a6273777712db2c90522e365c413567c49
2017-04-11Do not log errors on non-existing containerMartin André1-1/+4
This is cluttering up the logs with useless error messages, making it more difficult than necessary to debug the CI job. Change-Id: Icbdc4c74d99fea39b8722955dab56e5f538849aa
2017-04-06Merge "docker-puppet.py fail if any worker fails"Jenkins1-1/+10
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-2/+2
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-22docker-puppet: skip empty volume entriesJuan Antonio Osorio Robles1-1/+2
This allows to optionally add volumes, where we could use a heat conditional to either put the volume path we want or put an empty string which should be safely skipped. Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
2017-03-13Merge "Pass the DOCKER_* env vars when running docker"Jenkins1-0/+5
2017-03-09docker-puppet.py fail if any worker failsSteve Baker1-1/+10
Currently returncodes are ignored from docker puppet workers, so a failed puppet apply may not manifest until later in the stack deployment due to some other failure. This change logs any failures at the end of the run and returns a failure code if any worker returns a failure code. Change-Id: I6a504dbeb4c0ac465ce10e7647830524fe0a1160
2017-03-01Put docker puppet config in puppet_config dictSteve Baker1-0/+3
This approach removes the need for the yaql zip to build the docker-puppet data by building the data in a puppet_config dict. This allows a future change to make docker-puppet.py only accept dict data. Currently the step_config is left where it is and referenced inside puppet_config, but feedback is welcome whether this is necessary or desirable. Change-Id: I4a4d7a6fd2735cb841174af305dbb62e0b3d3e8c
2017-03-01Pass the DOCKER_* env vars when running dockerFlavio Percoco1-0/+5
We should always pass the `DOCKER_*` env vars to all the `docker` commands that are executed in the various scripts as those variables may contain the access data for the docker daemon. Change-Id: Ie719f451350e6ea35cb22d97a8f090ad81fa8141
2017-03-01Switch to dict format for docker_puppet_tasksSteve Baker1-0/+9
This change gives the option of docker-puppet.py data to be in a dict as well as a list. This allows docker_puppet_tasks data to use the same keys as the top level puppet config data. If the yaql fu can be worked out to build the top level data, docker-puppet.py can later drop the list format entirely. Change-Id: I7e2294c6c898d2340421c93516296ccf120aa6d2
2017-02-24Add option to diff containers after config stage.Ian Main1-0/+9
This allows you to show the changes made to a container during configuration stage for fast development. Change-Id: Id9c72cf2b07486f0a80bf3572a7ba349888d877f
2017-02-23Add step to docker_puppet_tasksDan Prince1-2/+3
This patch sets the step correctly for docker_puppet_tasks. This is now required in order to match the 'step' in some puppet manifests explicitly so that things like keystone initialization run correctly. Closes-bug: #1667454 Change-Id: If2bdd0b1051125674f116f895832b48723d82b3a
2017-02-22Parallelize docker-puppet.pyIan Main1-18/+40
Use a pool of worker processes to run the puppet modules so they can all be done in parallel. Defaults to cpu count processes. Change-Id: I083d302b8cf6538569e4d165221c21df152266bc
2017-02-15Add docker_puppet_tasks initialization on primary nodeDan Prince1-1/+3
This patch adds a new (optional) section to the docker post.j2.yaml that collects any 'docker_puppet_tasks' data from enabled services and applies it on the primary role node (the first node in the primary (first) role). The use case for this is although we are generally only using puppet for configuration there are several exceptions that we desire to make use of today for parity with baremetal. This includes things like database creation and keystone endpoint initialization which we rely on configuration via hiera variables controlled by the puppet services. Change-Id: Ic14ef48f26de761b0d0eabd0e1c0eae52d90e68a
2017-02-15docker: new hybrid deployment architecture and configurationDan Prince1-0/+210
This patch implements a new docker deployment architecture that should us to install docker services in a stepwise manner alongside of baremetal puppet services. This works by using Yaql to select docker specific services (docker/services/*.yaml) vs the puppet specific ones and then applying the selected Json to relevant Heat software deployments for docker and baremetal puppet in a stepwise fashion. Additionally the new architecture leverages new composable services interfaces from Newton to allow configuration of per-service container configuration sets (directories that are bind mounted into kolla containers) by using the Kolla containers themselves. It does this by spinning up a throw away "configuration only" version of the container being configured itself, then running the puppet apply in that container and copying the generated config files into /var/lib/config-data. This avoids having to install all of the OpenStack dependency packages in the heat-agent-container itself (our previous approach) and should allow us to configure a much wider variety of container config files that would otherwise be impossible with the previous shared approach. The new approach (combined) should allow us to configure containers in both the undercloud and overcloud and incrementally add CI coverage to services as we containerize them. Co-Authored-By: Martin André <m.andre@redhat.com> Co-Authored-By: Ian Main <imain@redhat.com> Co-Authored-By: Flavio Percoco <flavio@redhat.com> Change-Id: Ibcff99f03e6751fbf3197adefd5d344178b71fc2