summaryrefslogtreecommitdiffstats
path: root/docker
AgeCommit message (Collapse)AuthorFilesLines
2017-05-08Containers: Bind mount directories with the key/certs for heatJuan Antonio Osorio Robles2-0/+32
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. bp tls-via-certmonger-containers Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
2017-05-05Mount hostpath logs on /var/logFlavio Percoco37-60/+501
Some containers are using the logs named volume for collecting logs written to `/var/log`. We should make this consistent for all the containers. This patch also cleans up some mounts that weren't needed for some services. For example, glance-api doesn't need `/run` to be mounted. Other changes: * Rework log volumes to hostpath mounts to omit slow COW writes. * Add kolla_config's permission and host_prep_tasks create and manage hostpath mounted log dirs permissions. * Rework data owning init containers to kolla_config permissions * When a step wants KOLLA_BOOTSTRAP or DB sync, use logs data owning init containers to set permissions for logs. This is required because kolla bootsrap and DB sync runs before the kolla config stage and there is yet permissions set for logs. * In order to address hybrid cases for host services vs containerized ones to access logs having different UIDs, persist containerized services' logs into separate directories (an upgrade impact) * Ensure host prep tasks to create /var/log/containers/ and /var/lib/ sub-directories for services * Fix missing /etc/httpd, /var/www config-data mounts for zaqar/ironic * Fix YAML indentation and drop strings quotation. Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com> Partial blueprint containerized-services-logs Change-Id: I53e737120bf0121bd28667f355b6f29f1b2a6b82
2017-05-03Use httpd in Heat docker servicesThomas Herve2-16/+22
This switches heat-api and heat-api-cfn to use httpd in containerized overcloud. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: I2fe6e25474279c7c91a69d9df7b28e12b1d8ac00
2017-05-03Merge "Move containers common volumes from yaql to list_concat"Jenkins35-593/+477
2017-05-02Add deprecation notes for panko servicePradeep Kilambi1-1/+3
Change-Id: Ic218a753e0cede2ba3951bcaec843f487dce0c71
2017-05-02Move containers common volumes from yaql to list_concatJuan Antonio Osorio Robles35-593/+477
list_concat was introduced recently and is able to replace the yaql calls for concatenating lists. Change-Id: Id3a80a0e1e4c25b6d838898757c69ec99d0cd826
2017-05-02Improve logging for docker-puppet.pyBogdan Dobrelya1-36/+50
Log prepared docker command Use logger stdout instead of print command Log stderr as debug as well Change-Id: I3d48fbf4fa3381d325e3be3788b041e06d4bb294 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-28Merge "Fix redis container"Jenkins1-2/+17
2017-04-27Merge "Add missing tag to nova-placement docker image"Jenkins1-1/+1
2017-04-27Fix redis containerMartin André1-2/+17
The puppet-redis module makes use of the exec puppet tag to copy the /etc/redis.conf.puppet file to /etc/redis.conf. We need to explicitly enable it otherwise our redis container will pick up the default redis configuration and not the one that was generated with puppet. Also creates the /var/run/redis directory on the host since we bind mount /run, and ensure the container sets the correct ownership on the directory. Finally, configure redis to not daemonize otherwise the container ends up in a restart loop. Change-Id: Ia1dce2120ca7479eef8bc77dedf9431adbe210cc Closes-Bug: #1686707
2017-04-27Merge "Fix etcd_init_task volume"Jenkins1-1/+1
2017-04-26Merge "Containerize Redis service"Jenkins1-0/+78
2017-04-26Fix etcd_init_task volumeBogdan Dobrelya1-1/+1
Docker puppet hook writes to /etc of containers. Mount /etc as rw for etcd container. Change-Id: I8e45de18a91022690c19888cbfaa68d2fdfe46ce Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-25Merge "Fix dependencies for PreConfig/PostConfig resources"Jenkins1-17/+6
2017-04-25Merge "Containerize etcd service"Jenkins1-0/+105
2017-04-25Fix dependencies for PreConfig/PostConfig resourcesSteven Hardy1-17/+6
We have a circular dependency errror since https://review.openstack.org/#/c/452734/ landed. This adjusts the dependencies to ensure we run pre-config before the first puppet deploy step, and removes the duplicate declaration of the ControllerPostConfig resource. Also we ensure the first container step always depends on the same step puppet deploy. Change-Id: I70c5a39fb36b951bdeb04c15bddac7d00eebf08a Closes-Bug: #1686098
2017-04-24Merge "Merge pre|post puppet resources into pre|post config."Jenkins1-4/+4
2017-04-24Merge "Fix containerized RabbitMQ service deployment"Jenkins1-3/+16
2017-04-24Containerize etcd serviceBogdan Dobrelya1-0/+105
Depends-On: I3ad463217ed3f2d6374627248236b274cfed72fb Depends-On: If4b01934a9a5cb6ca2ff6c1831e4fe073f1b04ea Closes-bug: #1668938 Change-Id: I6cb902d712849bf11f331ed776cd0ed6e200dcd9 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-24Merge "Don't attempt to configure live migration"Jenkins2-2/+18
2017-04-24Merge pre|post puppet resources into pre|post config.Carlos Camacho1-4/+4
The [Pre|Post]Puppet resources were renamed in https://review.openstack.org/#/c/365763. This was intended for having a pre/post deployment steps using an agnostic name instead of being attached to a technology. The renaming was unintentionally reverted in https://review.openstack.org/#/c/393644/ and https://review.openstack.org/#/c/434451. This submission merge both resources into one, and remove the old pre|post hooks. Closes-bug: #1669756 Change-Id: Ic9d97f172efd2db74255363679b60f1d2dc4e064
2017-04-24Fix containerized RabbitMQ service deploymentBogdan Dobrelya1-3/+16
* Use default puppet tags instead of the 'file' tag only * Noop user/policy providers for puppet_config docker step and move them into docker_puppet_tasks (init container) Change-Id: I98a54808aae6fca060b23f074b71178f2d4c815e Closes-bug: #1684138 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-24Merge "Containers: disable downloading rabbitmqadmin"Jenkins1-1/+4
2017-04-21Containerize Redis servicePradeep Kilambi1-0/+78
Closes-bug: #1668919 Change-Id: Ie750caa34c6fa22ca6eae6834b9ca20e15d97f7f
2017-04-21Don't attempt to configure live migrationJiri Stransky2-2/+18
When configuring nova containers via puppet, the puppet class chain includes a class for live migration, which configures live migration aspects in nova and libvirt. Some of the libvirt config parts try to notify Service[libvirt], but that service definition is only included in nova-libvirt service, it's not included in the control plan nova services. However, our hieradata is currently global on the node, it's not per-service, which means even though only nova-compute and nova-libvirt service set tripleo::profile::base::nova::manage_migration: true this hiera setting is applied to all containers running puppet, most notably the ones which configure nova control plane services. As a result, configuration of nova control plane services failed, and in turn the whole deployment failed. This commit disables the libvirt part of live migration config until we implement some better solution (e.g. hieradata separation between different puppet containers, or move the libvirt config parts only to nova-compute manifests in puppet-tripleo). Change-Id: I0328406607d451e6bdce4d92c441c03648925fa7 Closes-Bug: #1684107
2017-04-21Merge "Use -net=host for docker-puppet.py config gen"Jenkins1-0/+4
2017-04-21Merge "Add defaults for docker puppet tasks"Jenkins1-4/+10
2017-04-20Add defaults for docker puppet tasksSteven Hardy1-4/+10
Currently we're referencing some steps that don't exist in the output from the OS::Heat::Value resource, but as noted in the heat bug #1681749 I think this isn't valid and probably should not be allowed, so instead merge defaults with the non-empty step tasks. To avoid further duplication of the loop variables, I made the max step a variable. Change-Id: Icf3d639b53c97006a0c370c12600449fba6f3323 Related-Bug: #1681749
2017-04-19Containers: disable downloading rabbitmqadminJiri Stransky1-1/+4
There's no need for puppet to download rabbitmqadmin script from rabbitmq, as the script would be immediately deleted together with the ephemeral puppet container. Also, since rabbitmq isn't running at the time we run the puppet container (rabbitmq doesn't have config files generated at that point), puppet couldn't connect to rabbitmq anyway. Change-Id: Ia59e1013c24ab02037246135024418cc9b674606 Closes-Bug: #1684104
2017-04-19Add missing tag to nova-placement docker imageMartin André1-1/+1
This is not really an issue, but this is now consistent with other images and is generally nicer to people with OCD. Also, this helps generating a consistent overcloud_containers.yaml from parsing the heat templates. Change-Id: I24b41dea51d2a8e862f43e9092c94ba07431af4a
2017-04-19containers: TLS in the internal network for telemetry servicesJuan Antonio Osorio Robles3-0/+57
This covers aodh, gnocchi and panko. cp tls-via-certmonger-containers Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
2017-04-19Merge "Introduce common CAs to be mounted to the containers"Jenkins1-0/+5
2017-04-19Merge "Introduce common resources for docker templates"Jenkins36-349/+644
2017-04-19Merge "Use underscore for Aodh and Gnocchi's container names"Jenkins2-4/+4
2017-04-18Merge "Fix nova-compute service name in upgrade steps"Jenkins2-2/+2
2017-04-18Introduce common CAs to be mounted to the containersJuan Antonio Osorio Robles1-0/+5
When TLS is enabled, the containers need to trust the CAs that the host trusts. Change-Id: I0434b0ac10290970857cad3d1a89d00f5b054196
2017-04-18Introduce common resources for docker templatesJuan Antonio Osorio Robles36-349/+644
This enables common resources that the docker templates might need. The initial resource only is common volumes, and two volumes are introduced (localtime and hosts). Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
2017-04-16Revert "Use httpd in Zaqar docker service"Dan Prince1-6/+3
This reverts commit 57a26486128982c9887edd02eb8897045215b10a. Change-Id: I1bbe16a1a7a382ae0c898bd19cd64d3d49aa84c7 Closes-bug: #1683210
2017-04-13Merge "Add tags to roles"Jenkins1-3/+10
2017-04-13Merge "Do not log errors on non-existing container"Jenkins1-1/+4
2017-04-13Fix nova-compute service name in upgrade stepsJiri Stransky2-2/+2
Previously Ansible upgrade steps failed with: Could not find the requested service nova-compute: cannot disable. Change-Id: I14e8bc89aca0a3f7308d88488b431e23251cc043 Closes-Bug: #1682373
2017-04-13Use underscore for Aodh and Gnocchi's container namesJuan Antonio Osorio Robles2-4/+4
The rest of the services are using underscores, so this helps uniformity. Change-Id: I4ce3cc76f430a19fa08c77b004b86ecad02119ae
2017-04-12Merge "Add upgrade tasks for gnocchi container services"Jenkins3-0/+12
2017-04-12Merge "Use httpd in Zaqar docker service"Jenkins1-3/+6
2017-04-12Merge "Bind mount directories that contain the key/certs for keystone"Jenkins1-0/+17
2017-04-12Merge "docker/all: Bind-mount OpenSSL CA bundle"Jenkins1-0/+6
2017-04-12Add tags to rolesAlex Schultz1-3/+10
Prior to Ocata, the Controller role was hardcoded for various lookups. When we switched to having the primary role name being dynamically pulled from the roles_data.yaml using the first role as the primary role as part of I36df7fa86c2ff40026d59f02248af529a4a81861, it introduced a regression for folks who had previously been using a custom roles file without the Controller being listed first. Instead of relying on the position of the role in the roles data, this change adds the concepts of tags to the role data that can be used when looking for specific functionality within the deployment process. If no roles are specified with this the tags indicating a 'primary' 'controller', it will fall back to using the first role listed in the roles data as the primary role. Change-Id: Id3377e7d7dcc88ba9a61ca9ef1fb669949714f65 Closes-Bug: #1677374
2017-04-12Bind mount directories that contain the key/certs for keystoneJuan Antonio Osorio Robles1-0/+17
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
2017-04-12docker/all: Bind-mount OpenSSL CA bundleJuan Antonio Osorio Robles1-0/+6
The containers also need to trust the CA's that the overcloud node trusts, else we'll get SSL verification failures. bp tls-via-certmonger-containers Change-Id: I7d3412a6273777712db2c90522e365c413567c49
2017-04-11Use -net=host for docker-puppet.py config genDan Prince1-0/+4
We pass the short hostname to docker-puppet.py. In order to satisfy the factor FQDN check for the short hostname we need to run the container with --net=host in some cases. Change-Id: I2929f122f23ee33e8ea5d4c5006d2bbb8b928b67 Closes-bug: #1681903