Ensure we get dedicated logging file for HAProxy

With the current configuration, HAProxy logs are in the host journal.
This isn't really friendly when you want to debug issues with this service.

This patches ensures HAProxy logs are in a dedicated file, using the syslog
facility set in its configuration.

Depends-On: I8fee040287940188f6bc6bc35bdbdaf6c234cbfd
Change-Id: Ia615ac07d0c559deb65e307bb6254127e989794d

common/deploy-steps-tasks.yaml

@@ -21,6 +21,14 @@
     - name: Write config data at the start of step 1
       when: step == "1"
       block:
+        - name: Create and ensure setype for /var/log/containers directory
+          file:
+            path: /var/log/containers
+            state: directory
+            setype: var_log_t
+            selevel: s0
+          tags:
+            - host_config
         - name: Create /var/lib/tripleo-config directory
           file:
             path: /var/lib/tripleo-config

docker/services/haproxy.yaml

@@ -40,6 +40,10 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   SSLCertificate:
     default: ''
     description: >
@@ -121,6 +125,8 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
+      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
+      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
 
   HAProxyLogging:
     type: OS::TripleO::Services::Logging::HAProxy
@@ -279,13 +285,33 @@ outputs:
               - haproxy
       host_prep_tasks:
         - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
+        - name: Check if rsyslog exists
+          shell: systemctl is-active rsyslog
+          register: rsyslog_config
+        - when: rsyslog_config.rc == 0
+          block:
+            - name: Forward logging to haproxy.log file
+              blockinfile:
+                content: |
+                  if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
+                  & stop
+                create: yes
+                path: /etc/rsyslog.d/openstack-haproxy.conf
+              vars:
+                facility: {get_param: HAProxySyslogFacility}
+              register: logconfig
+            - name: restart rsyslog service after logging conf change
+              service:
+                name: rsyslog
+                state: restarted
+              when: logconfig is changed
         - name: create persistent directories
           file:
             path: "{{ item.path }}"
             state: directory
             setype: "{{ item.setype }}"
           with_items:
-            - { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t }
+            - { 'path': /var/log/containers/haproxy, 'setype': var_log_t }
             - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
         - name: haproxy logs readme
           copy:

docker/services/pacemaker/haproxy.yaml

@@ -75,6 +75,14 @@ parameters:
   HAProxyInternalTLSKeysDirectory:
     default: '/etc/pki/tls/private/haproxy'
     type: string
+  HAProxySyslogAddress:
+    default: /dev/log
+    description: Syslog address where HAproxy will send its log
+    type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   ConfigDebug:
     default: false
     description: Whether to run config management (e.g. Puppet) in debug mode.
@@ -126,6 +134,8 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
+      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
+      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
 
 outputs:
   role_data:
@@ -279,13 +289,41 @@ outputs:
                     - {get_param: DeployIdentifier}
       host_prep_tasks:
         - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
+        - name: Check if rsyslog exists
+          shell: systemctl is-active rsyslog
+          register: rsyslog_config
+        - when: rsyslog_config.rc == 0
+          block:
+            - name: Forward logging to haproxy.log file
+              blockinfile:
+                content: |
+                  if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
+                  & stop
+                create: yes
+                path: /etc/rsyslog.d/openstack-haproxy.conf
+              vars:
+                facility: {get_param: HAProxySyslogFacility}
+              register: logconfig
+            - name: restart rsyslog service after logging conf change
+              service:
+                name: rsyslog
+                state: restarted
+              when: logconfig is changed
         - name: create persistent directories
           file:
             path: "{{ item.path }}"
             state: directory
             setype: "{{ item.setype }}"
           with_items:
+            - { 'path': /var/log/containers/haproxy, 'setype': var_log_t }
             - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
+        - name: haproxy logs readme
+          copy:
+            dest: /var/log/haproxy/readme.txt
+            content: |
+              Log files from the haproxy containers can be found under
+              /var/log/containers/haproxy.
+          ignore_errors: true
       metadata_settings:
         get_attr: [HAProxyBase, role_data, metadata_settings]
       deploy_steps_tasks:

puppet/services/haproxy.yaml

@@ -46,6 +46,10 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   HAProxyStatsEnabled:
     default: true
     description: Whether or not to enable the HAProxy stats interface.
@@ -140,6 +144,7 @@ outputs:
               '107 haproxy stats':
                 dport: 1993
             tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}

puppet/services/pacemaker/haproxy.yaml

@@ -30,6 +30,14 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
+  HAProxySyslogAddress:
+    default: /dev/log
+    description: Syslog address where HAproxy will send its log
+    type: string
 
 resources:
   LoadbalancerServiceBase:
@@ -53,6 +61,8 @@ outputs:
           - get_attr: [LoadbalancerServiceBase, role_data, config_settings]
           - tripleo::haproxy::haproxy_service_manage: false
             tripleo::haproxy::mysql_clustercheck: true
+            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
       step_config: |
         include ::tripleo::profile::pacemaker::haproxy
       host_prep_tasks: {get_attr: [LoadbalancerServiceBase, role_data, host_prep_tasks]}

releasenotes/notes/haproxy-log-2805e3697cbadf49.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - Allow to output HAProxy in a dedicated file
+  - Adds new HAProxySyslogFacility param