aboutsummaryrefslogtreecommitdiffstats
path: root/docker
AgeCommit message (Collapse)AuthorFilesLines
2017-04-18Introduce common CAs to be mounted to the containersJuan Antonio Osorio Robles1-0/+5
When TLS is enabled, the containers need to trust the CAs that the host trusts. Change-Id: I0434b0ac10290970857cad3d1a89d00f5b054196
2017-04-18Introduce common resources for docker templatesJuan Antonio Osorio Robles36-349/+644
This enables common resources that the docker templates might need. The initial resource only is common volumes, and two volumes are introduced (localtime and hosts). Change-Id: Ic55af32803f9493a61f9b57aff849bfc6187d992
2017-04-16Revert "Use httpd in Zaqar docker service"Dan Prince1-6/+3
This reverts commit 57a26486128982c9887edd02eb8897045215b10a. Change-Id: I1bbe16a1a7a382ae0c898bd19cd64d3d49aa84c7 Closes-bug: #1683210
2017-04-13Merge "Add tags to roles"Jenkins1-3/+10
2017-04-13Merge "Do not log errors on non-existing container"Jenkins1-1/+4
2017-04-13Fix nova-compute service name in upgrade stepsJiri Stransky2-2/+2
Previously Ansible upgrade steps failed with: Could not find the requested service nova-compute: cannot disable. Change-Id: I14e8bc89aca0a3f7308d88488b431e23251cc043 Closes-Bug: #1682373
2017-04-13Use underscore for Aodh and Gnocchi's container namesJuan Antonio Osorio Robles2-4/+4
The rest of the services are using underscores, so this helps uniformity. Change-Id: I4ce3cc76f430a19fa08c77b004b86ecad02119ae
2017-04-12Merge "Add upgrade tasks for gnocchi container services"Jenkins3-0/+12
2017-04-12Merge "Use httpd in Zaqar docker service"Jenkins1-3/+6
2017-04-12Merge "Bind mount directories that contain the key/certs for keystone"Jenkins1-0/+17
2017-04-12Merge "docker/all: Bind-mount OpenSSL CA bundle"Jenkins1-0/+6
2017-04-12Add tags to rolesAlex Schultz1-3/+10
Prior to Ocata, the Controller role was hardcoded for various lookups. When we switched to having the primary role name being dynamically pulled from the roles_data.yaml using the first role as the primary role as part of I36df7fa86c2ff40026d59f02248af529a4a81861, it introduced a regression for folks who had previously been using a custom roles file without the Controller being listed first. Instead of relying on the position of the role in the roles data, this change adds the concepts of tags to the role data that can be used when looking for specific functionality within the deployment process. If no roles are specified with this the tags indicating a 'primary' 'controller', it will fall back to using the first role listed in the roles data as the primary role. Change-Id: Id3377e7d7dcc88ba9a61ca9ef1fb669949714f65 Closes-Bug: #1677374
2017-04-12Bind mount directories that contain the key/certs for keystoneJuan Antonio Osorio Robles1-0/+17
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
2017-04-12docker/all: Bind-mount OpenSSL CA bundleJuan Antonio Osorio Robles1-0/+6
The containers also need to trust the CA's that the overcloud node trusts, else we'll get SSL verification failures. bp tls-via-certmonger-containers Change-Id: I7d3412a6273777712db2c90522e365c413567c49
2017-04-11Use -net=host for docker-puppet.py config genDan Prince1-0/+4
We pass the short hostname to docker-puppet.py. In order to satisfy the factor FQDN check for the short hostname we need to run the container with --net=host in some cases. Change-Id: I2929f122f23ee33e8ea5d4c5006d2bbb8b928b67 Closes-bug: #1681903
2017-04-11docker: use noop_resource for Nova_cell_v2Dan Prince1-1/+4
Per puppet-nova commit 2c743a6bff5b17a85d1e0500f3a9ecb21468204e there is now a custom resource for Nova_cell_v2 configuration. As this resource runs automatically regardless of our use of puppet tags we need to explicitly disable it to be able to generate Nova API configs for docker. Change-Id: Id675dc124464acddc3fc5a88b017a351e93ba685 Closes-bug: #1681841
2017-04-11Do not log errors on non-existing containerMartin André1-1/+4
This is cluttering up the logs with useless error messages, making it more difficult than necessary to debug the CI job. Change-Id: Icbdc4c74d99fea39b8722955dab56e5f538849aa
2017-04-10Add upgrade tasks for gnocchi container servicesPradeep Kilambi3-0/+12
Change-Id: I43c35bbf959e5dcdd7e87a8f6a604d5fe5b4f2a9
2017-04-06Merge "Use kolla api to set ownership"Jenkins2-21/+10
2017-04-06Merge "docker-puppet.py fail if any worker fails"Jenkins1-1/+10
2017-04-05Ironic containers: chown /var/lib/ironic correctlyDan Prince1-4/+1
This updates the docker version of ironic-conductor.yaml so that it sets permissions on the entire /var/lib/ironic tree correctly. Since 1a4ece16cea40075fe7332ed048b9c289b3ff424 we bind mount in /var/lib/ironic from the host (created via Ansible if it didn't already exist). This caused a subtle permissions issue in that the Ironic conductor service can no longer create sub-directories it needs to operate. Change-Id: I1eb6b5ddad7cd89ee887e2e429ebe245aa7b80dc Closes-bug: 1677086
2017-04-05Use httpd in Zaqar docker serviceThomas Herve1-3/+6
Move the Zaqar WSGI service to use httpd in docker deployment. Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: If9b16c1aa3529386e68961e3dda5f613ac57b44b
2017-04-05Use kolla api to set ownershipMartin André2-21/+10
Kolla provides a way to set ownership of files and directory inside the containers. Use it instead of running an additional container to do the job. Change-Id: I554faf7c797f3997dd3ca854da032437acecf490
2017-04-04Merge "Remove kolla_config copy from services"Jenkins36-473/+133
2017-04-03Remove kolla_config copy from servicesMartin André36-473/+133
Simplify the config of the containerized services by bind mounting in the configurations instead of specifying them all in kolla config. This is change is useful to limit the side effects of generating the config files and running the container is two separate steps as config directories are now bind-mounted inside the container instead of having files being copied to the container. We've seen examples of Apache's mod_ssl configuration file present on the container preventing it to start when puppet configured apache not to load the ssl module (in case TLS is disabled). Co-Authored-By: Ian Main <imain@redhat.com> Change-Id: I4ec5dd8b360faea71a044894a61790997f54d48a
2017-03-30Output service_metadata_settings in docker services.yamlJuan Antonio Osorio Robles1-0/+2
This output gets nova metadata into the servers this is deployed to and is necessary for the TLS-everywhere work. bp tls-via-certmonger-containers Change-Id: Iff54f7af9c63a529f88c6455047f6584d29154b4
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi2-3/+3
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-27Remove kolla_config copy from keystone service.Ian Main1-47/+3
Simplify the config of the keystone service by mounting in the configurations instead of specifying them all in kolla config. This is change is useful to limit the side effects of generating the config files and running the container is two separate steps as config directories are now bind-mounted inside the container instead of having files being copied to the container. We've seen examples of Apache's mod_ssl configuration file present on the container preventing it to start when puppet configured apache not to load the ssl module (in case TLS is disabled). Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
2017-03-27Merge "Run nova-api hosts discovery after nova-compute start"Jenkins1-1/+2
2017-03-27docker/keystone: Bind mount entire fernet keys repositoryJuan Antonio Osorio Robles1-10/+5
Previously only the first two intial fernet keys were mounted into the container. This is not practical, however, as doing key rotation will generate more entries in this repository. So instead we mount the whole directory, which would allow us to do rotation in the base host and seamlessly affect the container as well. Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
2017-03-26Merge "docker/keystone: Actually set fernet as the default token provider"Jenkins1-1/+1
2017-03-26Merge "docker-puppet: skip empty volume entries"Jenkins1-1/+2
2017-03-25Merge "Rework container volumes as hostpath mounts"Jenkins4-3/+15
2017-03-24Merge "Clarify Kolla build overrides for tripleo"Jenkins1-1/+5
2017-03-24Rework container volumes as hostpath mountsBogdan Dobrelya4-3/+15
Also add upgrade_tasks to disable corresponding host services in order to not data race with containers Change-Id: I19c16aaa3e5a73436ca7aa7d06facf64feee2327 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-03-23Merge "Keep existing data for containerized Libvirt"Jenkins2-3/+16
2017-03-22Run nova-api hosts discovery after nova-compute startMartin André1-1/+2
The previous code had a race condition where nova-api host discovery and nova-compute where run at the same step. This commit ensures host discovery happens after nova-compute has started. Change-Id: Id2fc795a64783d958d98d4ac523a19079e8a4fab Closes-Bug: #1675011
2017-03-22docker/keystone: Actually set fernet as the default token providerJuan Antonio Osorio Robles1-1/+1
A previous commit [1] added support for fernet in the keystone docker service; however, this was not set as the default token provider. This patch makes it the default. [1] Id92039b3bad9ecda169323e01de7bebae70f2ba0 Change-Id: Ib44ab61eba0be8ba54bc7d0bdb22437d769cb960
2017-03-22docker-puppet: skip empty volume entriesJuan Antonio Osorio Robles1-1/+2
This allows to optionally add volumes, where we could use a heat conditional to either put the volume path we want or put an empty string which should be safely skipped. Change-Id: I68f91ffdd8ceb14735adad1322fcf124c47b160c
2017-03-21Merge "Keep existing data for containerized ironic-conductor"Jenkins2-12/+45
2017-03-21Merge "Cleanup docker services templates"Jenkins16-85/+40
2017-03-20Merge "Containerize panko api service"Jenkins1-0/+119
2017-03-20Keep existing data for containerized ironic-conductorJiri Stransky2-12/+45
Use mounts instead of docker volumes, and preserve existing data when moving from baremetal to containerized ironic-conductor. We cannot keep the data in the same directory to avoid hard-linking errors in ironic, because of this issue: https://github.com/docker/docker/issues/7457 This means we need to copy the data over to a new location before we start the containers. Change-Id: If98460120212f887b06adf117c5d88b97682638e
2017-03-17Merge "docker/keystone: add metadata_settings to output"Jenkins1-0/+2
2017-03-17Merge "Keep existing data for containerized Swift"Jenkins2-16/+26
2017-03-17Merge "Keep existing data for containerized RabbitMQ"Jenkins1-2/+7
2017-03-17Containerize panko api serviceFlavio Percoco1-0/+119
Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Closes-bug: #1668918 Change-Id: Ie1ebd25965bd2dbad2a22161da0022bad0b9e554
2017-03-17Merge "Keep existing data for containerized MongoDB"Jenkins1-1/+15
2017-03-16Merge "Keep existing data when moving to containerized MariaDB"Jenkins1-4/+21
2017-03-16docker/keystone: add metadata_settings to outputJuan Antonio Osorio Robles1-0/+2
This is used for the TLS-everywhere bits. It will be taken into account by a metadata hook that outputs relevant entries for the nova-metadata service; and subsequently kerberos principals will be created from these. Subsequent patches will add support for TLS in the internal network for the containerized keystone. Change-Id: Ic747ad9c8d6e76c8c16e347c1cdcabc899dd9f9a