summaryrefslogtreecommitdiffstats
path: root/docker
AgeCommit message (Collapse)AuthorFilesLines
2017-06-07Map /etc/ssh/ssh_known_hosts to all containersOliver Walsh1-0/+1
This allows any ssh client spawned from a container to validate ssh host key. Change-Id: I86d95848e5f049e8af98107cd7027098d6cdee7c Closes-bug: #1693841
2017-06-07Ensure /etc/ssh/ssh_known_hosts exist in docker config-data.Oliver Walsh1-0/+4
Works around the issue encountered in 1696283. Change-Id: I1947d9d1e3cabc5dfe25ee1af994d684425bdbf7 Resolves-Bug: #1696283
2017-06-04Merge "Containerize Redis for HA"Jenkins1-0/+140
2017-06-04Containerize Redis for HADamien1-0/+140
This service allows configuring and deploying Redis containers in a HA overcloud managed by pacemaker. The containers are managed and run by pacemaker. Inside there is pacemaker_remote which will invoke the resource agent managing galera. The resources themselves are created via puppet-pacemaker inside a short-lived container used for this purpose (mysql_init_bundle). This container needs to use the 'docker_config' section to invoke puppet (as opposed to 'docker_puppet_tasks'), because due to the HA composability each resource creation needs to happen on the bootstrap node of that service and 'docker_puppet_tasks' will only run on the controller/primary role. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Closes-Bug: #1692924 Depends-On: Ia1131611d15670190b7b6654f72e6290bf7f8b9e Change-Id: Ie045954fcc86ef2b3e4562b6f012853177f03948
2017-06-03Merge "Containerize clustercheck galera monitor for HA deployments"Jenkins1-0/+103
2017-06-03Merge "Containerize HAProxy for HA"Jenkins1-0/+116
2017-06-03Merge "Containerize RabbitMQ for HA"Jenkins1-0/+159
2017-06-03Merge "Containerize MySQL for HA"Jenkins1-0/+180
2017-05-31Merge "Containerized nova-compute working with Deployed Server"Jenkins1-0/+21
2017-05-30Merge "docker bootstrap service commands"Jenkins11-28/+36
2017-05-29Containerized nova-compute working with Deployed ServerJiri Stransky1-0/+21
When using the Deployed Server feature, we rely on Puppet to install packages. But nova-compute/libvirt puppet is running in a container, so it cannot install anything on the host. We rely on virtlogd on the host, so we need to install it there some way. This patch uses host_prep_tasks for that, conditionally based on the EnablePackageInstall stack parameter value. Also multinode-container-upgrade.yaml env is copied as multinode-containers.yaml, to remove the naming confusion, as the environment file can be used for more than just upgrades. The old env file will be removed once we make the upgrade job use the new one (catch 22 type of issue). Change-Id: Ia9b3071daa15bc30792110e5f34cd859cc205fb8
2017-05-24Containerize RabbitMQ for HADan Prince1-0/+159
This service allows configuring and deploying RabbitMQ containers in a HA overcloud managed by pacemaker. The containers are managed and run by pacemaker. Inside there is pacemaker_remote which will invoke the resource agent managing galera. The resources themselves are created via puppet-pacemaker inside a short-lived container used for this purpose (mysql_init_bundle). This container needs to use the 'docker_config' section to invoke puppet (as opposed to 'docker_puppet_tasks'), because due to the HA composability each resource creation needs to happen on the bootstrap node of that service and 'docker_puppet_tasks' will only run on the controller/primary role. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Closes-Bug: #1692909 Depends-On: I0722e4a4d4716f477e8304cfa1aadd3eef7c2f31 Change-Id: I942737134385af775cade40c2d69516d4fe31a99
2017-05-24Containerize MySQL for HADamien Ciabrini1-0/+180
This service allows configuring and deploying MySQL/galera containers in a HA overcloud managed by pacemaker. The containers are managed and run by pacemaker. Inside there is pacemaker_remote which will invoke the resource agent managing galera. The resources themselves are created via puppet-pacemaker inside a short-lived container used for this purpose (mysql_init_bundle). This container needs to use the 'docker_config' section to invoke puppet (as opposed to 'docker_puppet_tasks'), because due to the HA composability each resource creation needs to happen on the bootstrap node of that service and 'docker_puppet_tasks' will only run on the controller/primary role. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Closes-Bug: #1692842 Depends-On: I3b4d8ad2eec70080419882d5d822f78ebd3721ae Change-Id: I790dbc30b3de1c1a3fe76d3d8f060e4d7f95e2e7
2017-05-24Containerize HAProxy for HADamien Ciabrini1-0/+116
This service allows configuring and deploying HAProxy containers in a HA overcloud managed by pacemaker. The containers are managed and run by pacemaker. Pacemaker runs the standard Kolla image but overrides the initial command so that it explicitely calls HAProxy. This way, we shield ourselves from any unexpected future change in Kolla. This container needs to use the 'docker_config' section to invoke puppet (as opposed to 'docker_puppet_tasks'), because due to the HA composability each resource creation needs to happen on the bootstrap node of that service and 'docker_puppet_tasks' will only run on the controller/primary role. Co-Authored-By: Michele Baldessari <michele@acksyn.org> Closes-Bug: #1692908 Depends-On: Ifcf890a88ef003d3ab754cb677cbf34ba8db9312 Change-Id: I2f679bfe195733f4507e9b9e920b678e1370bb82
2017-05-24Remove duplicate PreConfig definitionJiri Stransky1-7/+0
We had two exactly the same definitions of PreConfig in docker_steps.j2.yaml. We should remove one of them. I chose to remove the first definition, as the 2nd definition is amended by change I674a4d9d2c77d1f6fbdb0996f6c9321848e32662, so we'll avoid a conflict. Change-Id: If65e30daefcf6552e085c7648c6691b7068834d4
2017-05-24Fix race condition between docker-puppet and container stepsJiri Stransky1-0/+1
GenerateConfigDeployment wasn't anchored with dependencies anywhere. If it took too long to complete and step 1 of containers creation already started executing, problems happened. This is now fixed by adding the required dependency relationship. Change-Id: Ie7dfd2a965e704ba278d4c2fad67f14a3a62799e Closes-Bug: #1692503
2017-05-23Containerize clustercheck galera monitor for HA deploymentsDamien Ciabrini1-0/+103
In HA overcloud deployments, HAProxy makes use of a helper service called "clustercheck", to check whether galera nodes are available for serving traffic. This change implements a dedicated service for clustercheck, which was originally part of the pacemaker mysql service. The service is configured by tripleo and the container's lifecycle is managed by docker, like other containerized services. Closes-Bug: #1692969 Change-Id: I8a5b30429f8ec3e484256a62a29ab7dee33ab291 Co-Authored-By: Michele Baldessari <michele@acksyn.org> Depends-on: I1aabe34fa6a9c8c705a4405f275b66502c313cf2
2017-05-22docker bootstrap service commandsDan Prince11-28/+36
This patch guards db syncs and initialization code from executing on multiple nodes at the same time by using the new bootstrap_host_exec script. This helper script checks to make sure the container is executing on the "bootstrap host" for the specified service (arg 0) and then if it matches runs the specified command. Depends-On: If25f217bbb592edab4e1dde53ca99ed93c0e146c Depends-On: Ic1585bae27c318bd6bafc287e905f2ed250cce0f Change-Id: I0c864ca093ea476248b619d8c88477ef0b64e2eb Closes-Bug: 1688380
2017-05-22docker/TLS-everywhere: Add metadata_settings output to templatesJuan Antonio Osorio Robles5-0/+10
This is needed since it's what writes the service metadata to the nova server in order to create the kerberos principals. It worked in a base controller since the keystone template does have this. But if we would deploy these services on a separate role, it would break. So this output is needed. bp tls-via-certmonger-containers Change-Id: I3ee8c65d356dcd092a3fbf79041e5c69ef23b721
2017-05-20Merge "Consolidate writing json configs with HostPrepTasks"Jenkins2-98/+56
2017-05-20Merge "Update the template_version alias for all the templates to pike."Jenkins11-11/+11
2017-05-19Merge "Add containerized neutron-metadata agent"Jenkins1-0/+110
2017-05-19Update the template_version alias for all the templates to pike.Carlos Camacho11-11/+11
Master is now the development branch for pike changing the release alias name. Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-18Add containerized neutron-metadata agentBrent Eagles1-0/+110
This patch adds support for running the neutron metadata agent in a container. Change-Id: I53c62516c95d62f5ced70818d4eb4c2c341df0d7 Partial-Bug: #1668922
2017-05-17Merge "docker/internal TLS: spawn extra container for neutron server's TLS ↵Jenkins1-14/+42
proxy"
2017-05-17Merge "Don't delete failed docker-puppet containers"Jenkins1-1/+3
2017-05-17Consolidate writing json configs with HostPrepTasksSteven Hardy2-98/+56
We already have an ansible deployment that applies the per-service host_prep_tasks, so we can simplify the dependencies here by just doing the docker-steps host preparation at the same time. The motivation behind this is to both simplify the depends_on web we have here, reduce the number of discrete deployments, and also to potentially make running ansible directly e.g for debugging easier. In a future patch we'll convert the configuration steps to work in a similar way, such that they can be more easily reapplied e.g for rolling minor updates, possibly outside of heat. Change-Id: I9a201fc5a9e82c7fba4c2de36eb5332e21a81d37
2017-05-17Merge "Containerize Ceilometer Agents"Jenkins3-0/+317
2017-05-17Don't delete failed docker-puppet containersSteve Baker1-1/+3
This helps a bit with debugging issues, and the container will be deleted on the next run when the same volume is configured. Change-Id: I4f2f219bd7e40abafd0eb31c1275fdd8ed4db4da
2017-05-16Containerize Ceilometer AgentsPradeep Kilambi3-0/+317
Depends-on: I30ba93f76171e5993b5f0e1d7f1f5533acb25740 Closes-bug: #1668925 Change-Id: I3cb61d2d8765f9c2601bb00c4bfa24162883b96a
2017-05-16docker/internal TLS: spawn extra container for neutron server's TLS proxyJuan Antonio Osorio Robles1-14/+42
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of neutron server. bp tls-via-certmonger-containers Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
2017-05-16Use neutron-server image for neutron servicesJuan Antonio Osorio Robles5-7/+14
For TLS everywhere, neutron-server needs httpd in the image, since it'll use a separate container that runs a TLS proxy to terminate the connection. This requires the image where the configuration is ran to have httpd installed, since there are several directories and the user/group that's needed. So, we then switch the image to be used to be neutron-server instead of the openvswitch-agent image. Change-Id: Ie16de3004925b7624f106d6c015ec04ef6031a06 Depends-On: I82f10ac0e7e692e6ba4a06dc10da9eaf79c60e7e
2017-05-15Add missing type for RoleParameters parameterMartin André42-1/+42
This was forgotten in I72376a803ec6b2ed93903cc0c95a6ffce718b6dc and broke containerized deployment. Change-Id: I599a87bf06efbfefd3067c77ed6ca866505900f9 Closes-Bug: #1690870
2017-05-15Add role specific information to the service templateSaravanan KR43-0/+387
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-12Merge "docker/internal TLS: spawn extra container for glance API's TLS proxy"Jenkins1-9/+38
2017-05-12Merge "docker/internal TLS: spawn extra container for swift's TLS proxy"Jenkins1-19/+47
2017-05-12docker/internal TLS: spawn extra container for glance API's TLS proxyJuan Antonio Osorio Robles1-9/+38
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of glance-api. bp tls-via-certmonger-containers Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b
2017-05-12docker/internal TLS: spawn extra container for swift's TLS proxyJuan Antonio Osorio Robles1-19/+47
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of swift. bp tls-via-certmonger-containers Depends-On: Ib01137cd0d98e6f5a3e49579c080ab18d8905b0d Change-Id: I9639af8b46b8e865cc1fa7249bf1d8b1b978adfe
2017-05-11Merge "Make docker-puppet.sh a static file."Jenkins1-21/+22
2017-05-10Merge "Use httpd in Zaqar docker service"Jenkins1-3/+5
2017-05-10Merge "Containers: Bind mount directories with the key/certs for heat"Jenkins2-0/+32
2017-05-10Make docker-puppet.sh a static file.Steve Baker1-21/+22
Variables are now passed in with --env in the docker run call. This will allow docker-puppet.sh to be baked into the image instead of having it as a custom entrypoint. Change-Id: Icbaefe033becc6b2226535f28ee202917bdc1074
2017-05-09Use httpd in Zaqar docker serviceDan Prince1-3/+5
Move the Zaqar WSGI service to use httpd in docker deployment. Depends-On: I35cfd1c2320eb972890b44668c8f9f0a047a65dc Change-Id: I56a6469a9179b5c023738f447e7665d0d3c73d0b Co-Authored-By: Martin André <m.andre@redhat.com> Co-Authored-By: Thomas Herve <therve@redhat.com>
2017-05-08Containers: Bind mount directories with the key/certs for heatJuan Antonio Osorio Robles2-0/+32
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. bp tls-via-certmonger-containers Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
2017-05-08Add syslog socket to common containers volumesBogdan Dobrelya1-0/+2
Partial blueprint containerized-services-logs Change-Id: Idbf1884226503aca9072b12d050500af407973cf Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-05-05Mount hostpath logs on /var/logFlavio Percoco37-60/+501
Some containers are using the logs named volume for collecting logs written to `/var/log`. We should make this consistent for all the containers. This patch also cleans up some mounts that weren't needed for some services. For example, glance-api doesn't need `/run` to be mounted. Other changes: * Rework log volumes to hostpath mounts to omit slow COW writes. * Add kolla_config's permission and host_prep_tasks create and manage hostpath mounted log dirs permissions. * Rework data owning init containers to kolla_config permissions * When a step wants KOLLA_BOOTSTRAP or DB sync, use logs data owning init containers to set permissions for logs. This is required because kolla bootsrap and DB sync runs before the kolla config stage and there is yet permissions set for logs. * In order to address hybrid cases for host services vs containerized ones to access logs having different UIDs, persist containerized services' logs into separate directories (an upgrade impact) * Ensure host prep tasks to create /var/log/containers/ and /var/lib/ sub-directories for services * Fix missing /etc/httpd, /var/www config-data mounts for zaqar/ironic * Fix YAML indentation and drop strings quotation. Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com> Partial blueprint containerized-services-logs Change-Id: I53e737120bf0121bd28667f355b6f29f1b2a6b82
2017-05-03Use httpd in Heat docker servicesThomas Herve2-16/+22
This switches heat-api and heat-api-cfn to use httpd in containerized overcloud. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I2fe6e25474279c7c91a69d9df7b28e12b1d8ac00
2017-05-03Merge "Move containers common volumes from yaql to list_concat"Jenkins35-593/+477
2017-05-02Add deprecation notes for panko servicePradeep Kilambi1-1/+3
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
2017-05-02Move containers common volumes from yaql to list_concatJuan Antonio Osorio Robles35-593/+477
list_concat was introduced recently and is able to replace the yaql calls for concatenating lists. Change-Id: Id3a80a0e1e4c25b6d838898757c69ec99d0cd826