From 1d09aa68faec603463faab62011154354d66a142 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 19 Dec 2019 08:48:23 +0100 Subject: [PATCH] Make the bundle user configurable via hiera Allow all bundles --user option to be overridden as some of them might prefer switching to a non-root user when possible. The ovn-dbs bundle is a bit special because it never specified any user. Hence we default that user to undef and do not set anything. Tested as follows: 1. deployed an overcloud 2. patched it with this change 3. redeployed and and then observed that no HA container has restarted at all 4. verified cinder-volume runs with root by default: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 4204 716 ? Ss 09:01 0:00 dumb-init --single-child -- /bin/bash /usr/local/bin/kolla_start root 7 0.7 0.7 912976 145760 ? S 09:01 1:04 /usr/bin/python3 /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf root 71 0.1 0.6 925800 124640 ? S 09:01 0:14 /usr/bin/python3 /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf 5. added 'tripleo::profile::pacemaker::cinder::volume_bundle::bundle_user: cinder' to the templates and redeployed 6. Observed that cinder-volume got restarted and now runs with cinder user: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND cinder 1 0.0 0.0 4204 804 ? Ss 12:23 0:00 dumb-init --single-child -- /bin/bash /usr/local/bin/kolla_start cinder 7 2.1 0.7 912976 145432 ? S 12:23 0:04 /usr/bin/python3 /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf cinder 64 0.3 0.5 919908 118452 ? S 12:23 0:00 /usr/bin/python3 /usr/bin/cinder-volume --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf Change-Id: I985d0d192ef3accf7fdd31503348de80713fded4 (cherry picked from commit d766eb81a3eb1864aa9c6d4b3b4d5fb978282219) --- .../profile/pacemaker/cinder/backup_bundle.pp | 9 ++++++++- .../profile/pacemaker/cinder/volume_bundle.pp | 9 ++++++++- .../profile/pacemaker/database/mysql_bundle.pp | 9 ++++++++- .../profile/pacemaker/database/redis_bundle.pp | 9 ++++++++- manifests/profile/pacemaker/haproxy_bundle.pp | 9 ++++++++- manifests/profile/pacemaker/manila/share_bundle.pp | 9 ++++++++- manifests/profile/pacemaker/ovn_dbs_bundle.pp | 14 +++++++++++++- manifests/profile/pacemaker/rabbitmq_bundle.pp | 7 ++++++- 8 files changed, 67 insertions(+), 8 deletions(-) diff --git a/manifests/profile/pacemaker/cinder/backup_bundle.pp b/manifests/profile/pacemaker/cinder/backup_bundle.pp index 90334732d..e79d53b7c 100644 --- a/manifests/profile/pacemaker/cinder/backup_bundle.pp +++ b/manifests/profile/pacemaker/cinder/backup_bundle.pp @@ -56,6 +56,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::cinder::backup_bundle ( $bootstrap_node = hiera('cinder_backup_short_bootstrap_node_name'), $cinder_backup_docker_image = hiera('tripleo::profile::pacemaker::cinder::backup_bundle::cinder_backup_docker_image', undef), @@ -64,6 +68,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle ( $container_backend = 'docker', $log_driver = undef, $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -219,7 +224,9 @@ class tripleo::profile::pacemaker::cinder::backup_bundle ( expression => ['cinder-backup-role eq true'], }, container_options => 'network=host', - options => "--ipc=host --privileged=true --user=root --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:ignore:140chars + options => "--ipc=host --privileged=true --user=${bundle_user} --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', storage_maps => $storage_maps, container_backend => $container_backend, diff --git a/manifests/profile/pacemaker/cinder/volume_bundle.pp b/manifests/profile/pacemaker/cinder/volume_bundle.pp index ec266c533..ed7ad7637 100644 --- a/manifests/profile/pacemaker/cinder/volume_bundle.pp +++ b/manifests/profile/pacemaker/cinder/volume_bundle.pp @@ -56,6 +56,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::cinder::volume_bundle ( $bootstrap_node = hiera('cinder_volume_short_bootstrap_node_name'), $cinder_volume_docker_image = hiera('tripleo::profile::pacemaker::cinder::volume_bundle::cinder_volume_docker_image', undef), @@ -66,6 +70,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle ( $container_backend = 'docker', $log_driver = undef, $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -220,7 +225,9 @@ class tripleo::profile::pacemaker::cinder::volume_bundle ( expression => ['cinder-volume-role eq true'], }, container_options => 'network=host', - options => "--ipc=host --privileged=true --user=root --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:ignore:140chars + options => "--ipc=host --privileged=true --user=${bundle_user} --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', storage_maps => $storage_maps, container_backend => $container_backend, diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 88f0e44e2..4f225d729 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -132,6 +132,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::database::mysql_bundle ( $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), @@ -154,6 +158,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $container_backend = 'docker', $log_driver = undef, $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -444,7 +449,9 @@ MYSQL_HOST=localhost\n", expression => ['galera-role eq true'], }, container_options => 'network=host', - options => "--user=root --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:ignore:140chars + options => "--user=${bundle_user} --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${control_port}", storage_maps => merge($storage_maps, $storage_maps_tls), diff --git a/manifests/profile/pacemaker/database/redis_bundle.pp b/manifests/profile/pacemaker/database/redis_bundle.pp index 693d185df..01719317d 100644 --- a/manifests/profile/pacemaker/database/redis_bundle.pp +++ b/manifests/profile/pacemaker/database/redis_bundle.pp @@ -104,6 +104,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::database::redis_bundle ( $certificate_specs = hiera('redis_certificate_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), @@ -122,6 +126,7 @@ class tripleo::profile::pacemaker::database::redis_bundle ( $tls_proxy_fqdn = undef, $tls_proxy_port = 6379, $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -348,7 +353,9 @@ slave-announce-port ${local_tuple[0][2]} expression => ['redis-role eq true'], }, container_options => 'network=host', - options => "--user=root --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:ignore:140chars + options => "--user=${bundle_user} --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${redis_docker_control_port}", storage_maps => merge($storage_maps, $storage_maps_tls), diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp index 75ecbe958..c0624a3d2 100644 --- a/manifests/profile/pacemaker/haproxy_bundle.pp +++ b/manifests/profile/pacemaker/haproxy_bundle.pp @@ -89,6 +89,10 @@ # (Optional) The number of times pcs commands should be retried. # Defaults to hiera('pcs_tries', 20) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::haproxy_bundle ( $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), @@ -103,6 +107,7 @@ class tripleo::profile::pacemaker::haproxy_bundle ( $op_params = '', $container_backend = 'docker', $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', $log_driver = undef, $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -270,7 +275,9 @@ class tripleo::profile::pacemaker::haproxy_bundle ( replicas => $haproxy_nodes_count, location_rule => $haproxy_location_rule, container_options => 'network=host', - options => "--user=root --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:ignore:140chars + options => "--user=${bundle_user} --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', storage_maps => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls), container_backend => $container_backend, diff --git a/manifests/profile/pacemaker/manila/share_bundle.pp b/manifests/profile/pacemaker/manila/share_bundle.pp index d0e738b48..a090c2884 100644 --- a/manifests/profile/pacemaker/manila/share_bundle.pp +++ b/manifests/profile/pacemaker/manila/share_bundle.pp @@ -60,6 +60,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::manila::share_bundle ( $bootstrap_node = hiera('manila_share_short_bootstrap_node_name'), $manila_share_docker_image = hiera('tripleo::profile::pacemaker::manila::share_bundle::manila_share_docker_image', undef), @@ -68,6 +72,7 @@ class tripleo::profile::pacemaker::manila::share_bundle ( $ceph_nfs_enabled = hiera('ceph_nfs_enabled', false), $container_backend = 'docker', $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', $log_driver = undef, $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), @@ -243,7 +248,9 @@ class tripleo::profile::pacemaker::manila::share_bundle ( expression => ['manila-share-role eq true'], }, container_options => 'network=host', - options => "--ipc=host --privileged=true --user=root --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:ignore:140chars + options => "--ipc=host --privileged=true --user=${bundle_user} --log-driver=${log_driver_real} ${docker_env}${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', storage_maps => $storage_maps, container_backend => $container_backend, diff --git a/manifests/profile/pacemaker/ovn_dbs_bundle.pp b/manifests/profile/pacemaker/ovn_dbs_bundle.pp index c76d7d6e8..b40be933a 100644 --- a/manifests/profile/pacemaker/ovn_dbs_bundle.pp +++ b/manifests/profile/pacemaker/ovn_dbs_bundle.pp @@ -73,6 +73,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to undef +# # [*enable_internal_tls*] # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) @@ -106,6 +110,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle ( $op_params = '', $container_backend = 'docker', $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = undef, $log_driver = undef, $enable_internal_tls = hiera('enable_internal_tls', false), $ca_file = undef, @@ -217,6 +222,11 @@ nb_master_protocol=ssl sb_master_protocol=ssl" $tls_params = '' $ovn_storage_maps_tls = {} } + if $bundle_user == undef { + $bundle_user_real = '' + } else { + $bundle_user_real = "--user=${bundle_user} " + } $resource_map = "${resource_params}${tls_params}" pacemaker::resource::bundle { 'ovn-dbs-bundle': image => $ovn_dbs_docker_image, @@ -224,7 +234,9 @@ nb_master_protocol=ssl sb_master_protocol=ssl" masters => 1, location_rule => $ovn_dbs_location_rule, container_options => 'network=host', - options => "--log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:ignore:140chars + options => "${bundle_user_real}--log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}", + # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${ovn_dbs_control_port}", storage_maps => merge($storage_maps, $ovn_storage_maps_tls), diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp index 3ec0fc2d2..b980e1dcb 100644 --- a/manifests/profile/pacemaker/rabbitmq_bundle.pp +++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp @@ -92,6 +92,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to hiera('tripleo::pacemaker::tls_priorities', undef) # +# [*bundle_user*] +# (optional) Set the --user= switch to be passed to pcmk +# Defaults to 'root' +# class tripleo::profile::pacemaker::rabbitmq_bundle ( $rabbitmq_docker_image = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::rabbitmq_docker_image', undef), $rabbitmq_docker_control_port = hiera('tripleo::profile::pacemaker::rabbitmq_bundle::control_port', '3122'), @@ -112,6 +116,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( $container_backend = 'docker', $log_driver = undef, $tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef), + $bundle_user = 'root', ) { # is this an additional nova cell? if hiera('nova_is_additional_cell', undef) { @@ -284,7 +289,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle ( }, container_options => 'network=host', # lint:ignore:140chars - options => "--user=root --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e LANG=en_US.UTF-8 -e LC_ALL=en_US.UTF-8${tls_priorities_real}", + options => "--user=${bundle_user} --log-driver=${log_driver_real} -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS -e LANG=en_US.UTF-8 -e LC_ALL=en_US.UTF-8${tls_priorities_real}", # lint:endignore run_command => '/bin/bash /usr/local/bin/kolla_start', network => "control-port=${rabbitmq_docker_control_port}",