From 31ab969ed9bcc8a5602c41431292ef7ed96771a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Wed, 28 Nov 2018 13:56:13 +0100
Subject: [PATCH] Ensure we get dedicated logging file for HAProxy

With the current configuration, HAProxy logs are in the host journal.
This isn't really friendly when you want to debug issues with this service.

This patches ensures HAProxy logs are in a dedicated file, using the syslog
facility set in its configuration.

Closes-Bug: #1814880
Depends-On: I8fee040287940188f6bc6bc35bdbdaf6c234cbfd
Change-Id: Ia615ac07d0c559deb65e307bb6254127e989794d
(cherry picked from commit 0576e26234206ab36b161cd43e6b2b69daf49948)
---
 common/deploy-steps-tasks.yaml                |  8 ++++
 docker/services/haproxy.yaml                  | 28 +++++++++++-
 docker/services/pacemaker/haproxy.yaml        | 43 ++++++++++++++++++-
 puppet/services/haproxy.yaml                  |  5 +++
 puppet/services/pacemaker/haproxy.yaml        | 10 +++++
 .../notes/haproxy-log-2805e3697cbadf49.yaml   |  4 ++
 6 files changed, 95 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/haproxy-log-2805e3697cbadf49.yaml

diff --git a/common/deploy-steps-tasks.yaml b/common/deploy-steps-tasks.yaml
index 668ac78a09..4a6d8d0b5d 100644
--- a/common/deploy-steps-tasks.yaml
+++ b/common/deploy-steps-tasks.yaml
@@ -8,6 +8,14 @@
       when: step == "1"
       become: true
       block:
+        - name: Create and ensure setype for /var/log/containers directory
+          file:
+            path: /var/log/containers
+            state: directory
+            setype: var_log_t
+            selevel: s0
+          tags:
+            - host_config
         - name: Create /var/lib/tripleo-config directory
           file: path=/var/lib/tripleo-config state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
 
diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 5f08d39c7b..bd6dfd441d 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -40,6 +40,10 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   SSLCertificate:
     default: ''
     description: >
@@ -110,6 +114,8 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
+      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
+      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
 
   HAProxyLogging:
     type: OS::TripleO::Services::Logging::HAProxy
@@ -248,13 +254,33 @@ outputs:
               environment:
                 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       host_prep_tasks:
+        - name: Check if rsyslog exists
+          shell: systemctl is-active rsyslog
+          register: rsyslog_config
+        - when: rsyslog_config.rc == 0
+          block:
+            - name: Forward logging to haproxy.log file
+              blockinfile:
+                content: |
+                  if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
+                  & stop
+                create: yes
+                path: /etc/rsyslog.d/openstack-haproxy.conf
+              vars:
+                facility: {get_param: HAProxySyslogFacility}
+              register: logconfig
+            - name: restart rsyslog service after logging conf change
+              service:
+                name: rsyslog
+                state: restarted
+              when: logconfig is changed
         - name: create persistent directories
           file:
             path: "{{ item.path }}"
             state: directory
             setype: "{{ item.setype }}"
           with_items:
-            - { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t }
+            - { 'path': /var/log/containers/haproxy, 'setype': var_log_t }
             - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
             - { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t }
         - name: haproxy logs readme
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 1981a531c3..eb94fa6e00 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -67,6 +67,14 @@ parameters:
   HAProxyInternalTLSKeysDirectory:
     default: '/etc/pki/tls/private/haproxy'
     type: string
+  HAProxySyslogAddress:
+    default: /dev/log
+    description: Syslog address where HAproxy will send its log
+    type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   ConfigDebug:
     default: false
     description: Whether to run config management (e.g. Puppet) in debug mode.
@@ -109,6 +117,8 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
+      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
+      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
 
 outputs:
   role_data:
@@ -279,12 +289,41 @@ outputs:
                   - - 'TRIPLEO_DEPLOY_IDENTIFIER='
                     - {get_param: DeployIdentifier}
       host_prep_tasks:
+        - name: Check if rsyslog exists
+          shell: systemctl is-active rsyslog
+          register: rsyslog_config
+        - when: rsyslog_config.rc == 0
+          block:
+            - name: Forward logging to haproxy.log file
+              blockinfile:
+                content: |
+                  if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
+                  & stop
+                create: yes
+                path: /etc/rsyslog.d/openstack-haproxy.conf
+              vars:
+                facility: {get_param: HAProxySyslogFacility}
+              register: logconfig
+            - name: restart rsyslog service after logging conf change
+              service:
+                name: rsyslog
+                state: restarted
+              when: logconfig is changed
         - name: create persistent directories
           file:
-            path: "{{ item }}"
+            path: "{{ item.path }}"
             state: directory
+            setype: "{{ item.setype }}"
           with_items:
-            - /var/lib/haproxy
+            - { 'path': /var/log/containers/haproxy, 'setype': var_log_t }
+            - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
+        - name: haproxy logs readme
+          copy:
+            dest: /var/log/haproxy/readme.txt
+            content: |
+              Log files from the haproxy containers can be found under
+              /var/log/containers/haproxy.
+          ignore_errors: true
       metadata_settings:
         get_attr: [HAProxyBase, role_data, metadata_settings]
       update_tasks:
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 04a06c9c5a..578416afd6 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -46,6 +46,10 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
   HAProxyStatsEnabled:
     default: true
     description: Whether or not to enable the HAProxy stats interface.
@@ -129,6 +133,7 @@ outputs:
               '107 haproxy stats':
                 dport: 1993
             tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml
index 2fddca9664..9529f9c805 100644
--- a/puppet/services/pacemaker/haproxy.yaml
+++ b/puppet/services/pacemaker/haproxy.yaml
@@ -30,6 +30,14 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxySyslogFacility:
+    default: local0
+    description: Syslog facility HAProxy will use for its logs
+    type: string
+  HAProxySyslogAddress:
+    default: /dev/log
+    description: Syslog address where HAproxy will send its log
+    type: string
 
 resources:
   LoadbalancerServiceBase:
@@ -53,6 +61,8 @@ outputs:
           - get_attr: [LoadbalancerServiceBase, role_data, config_settings]
           - tripleo::haproxy::haproxy_service_manage: false
             tripleo::haproxy::mysql_clustercheck: true
+            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
       step_config: |
         include ::tripleo::profile::pacemaker::haproxy
       metadata_settings:
diff --git a/releasenotes/notes/haproxy-log-2805e3697cbadf49.yaml b/releasenotes/notes/haproxy-log-2805e3697cbadf49.yaml
new file mode 100644
index 0000000000..e3cf3515d2
--- /dev/null
+++ b/releasenotes/notes/haproxy-log-2805e3697cbadf49.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - Allow to output HAProxy in a dedicated file
+  - Adds new HAProxySyslogFacility param