From 4645d9ce833197c42a563773cbf026d8853a4426 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Wed, 14 Jun 2017 07:52:33 -0400 Subject: Fix creation of iptables rules for non-HA containerized HAproxy The introduction of I90253412a5e2cd8e56e74cce3548064c06d022b1 broke the HAproxy service due to some HAproxy-specific iptables rules being executed during the puppet config step. Ensure that no iptables call is performed during the generation of configuration files. Move those calls to step 1, as implemented in the pacemaker-based HAproxy service (Ib5a083ba3299a82645f1a0f9da0d482c6b89ee23). Depends-On: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Closes-Bug: #1697921 Change-Id: Ica3a432ff4a9e7a46df22cddba9ad96e1390b665 --- docker/services/haproxy.yaml | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) (limited to 'docker/services/haproxy.yaml') diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 21baf5c6..42a8902e 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -85,6 +85,7 @@ outputs: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] - tripleo::haproxy::haproxy_daemon: false + tripleo::haproxy::haproxy_service_manage: false step_config: &step_config get_attr: [HAProxyBase, role_data, step_config] service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} @@ -92,7 +93,8 @@ outputs: puppet_config: config_volume: haproxy puppet_tags: haproxy_config - step_config: *step_config + step_config: + "class {'::tripleo::profile::base::haproxy': manage_firewall => false}" config_image: {get_param: DockerHAProxyConfigImage} volumes: &deployed_cert_mount - list_join: @@ -110,10 +112,44 @@ outputs: preserve_properties: true docker_config: step_1: + haproxy_firewall: + detach: false + image: {get_param: DockerHAProxyImage} + net: host + user: root + privileged: true + command: + - '/bin/bash' + - '-c' + - str_replace: + template: + list_join: + - '; ' + - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json" + - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'" + params: + TAGS: 'tripleo::firewall::rule' + CONFIG: *step_config + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - *deployed_cert_mount + - + - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro + # puppet saves iptables rules in /etc/sysconfig + - /etc/sysconfig:/etc/sysconfig:rw + # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount + # the necessary bit and prevent systemd to try to reload the service in the container + - /usr/libexec/iptables:/usr/libexec/iptables:ro + - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS haproxy: image: {get_param: DockerHAProxyImage} net: host - privileged: false restart: always volumes: list_concat: -- cgit 1.2.3-korg