openstack/tripleo-heat-templates
Code Issues Proposed changes

Set proper setype for service directories

Browse Source 
This will allow proper access from the containers without any
new SELinux policy

Depends-On: Ie9f5d3b6380caa6824ca940ca48ed0fcf6308608
Change-Id: I284126db5dcf9dc31ee5ee640b2684643ef3a066
This commit is contained in:
Cédric Jeanneret 2018-09-05 17:28:06 +02:00 committed by Emilien Macchi
parent 1badfc470a
commit 3eeece2d29
45 changed files with 179 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docker/services/aodh-api.yaml
View File

@ -105,8 +105,8 @@ outputs:
image: &aodh_api_image {get_param: DockerAodhApiImage}
user: root
volumes:
- /var/log/containers/aodh:/var/log/aodh
- /var/log/containers/httpd/aodh-api:/var/log/httpd
- /var/log/containers/aodh:/var/log/aodh:z
- /var/log/containers/httpd/aodh-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R aodh:aodh /var/log/aodh']
step_3:
aodh_db_sync:
@ -155,11 +155,12 @@ outputs:
host_prep_tasks:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
setype: "{{ item.setype }}"
state: directory
with_items:
- /var/log/containers/aodh
- /var/log/containers/httpd/aodh-api
- { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/aodh-api, setype: svirt_sandbox_file_t }
- name: aodh logs readme
copy:
dest: /var/log/aodh/readme.txt

3
docker/services/aodh-evaluator.yaml
View File

@ -106,7 +106,7 @@ outputs:
-
- /var/lib/kolla/config_files/aodh_evaluator.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/aodh:/var/log/aodh
- /var/log/containers/aodh:/var/log/aodh:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
@ -114,6 +114,7 @@ outputs:
file:
path: /var/log/containers/aodh
state: directory
setype: svirt_sandbox_file_t
- name: aodh logs readme
copy:
dest: /var/log/aodh/readme.txt

3
docker/services/aodh-listener.yaml
View File

@ -113,7 +113,7 @@ outputs:
-
- /var/lib/kolla/config_files/aodh_listener.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/aodh:/var/log/aodh
- /var/log/containers/aodh:/var/log/aodh:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
@ -121,6 +121,7 @@ outputs:
file:
path: /var/log/containers/aodh
state: directory
setype: svirt_sandbox_file_t
- name: aodh logs readme
copy:
dest: /var/log/aodh/readme.txt

3
docker/services/aodh-notifier.yaml
View File

@ -113,7 +113,7 @@ outputs:
-
- /var/lib/kolla/config_files/aodh_notifier.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/aodh:/var/log/aodh
- /var/log/containers/aodh:/var/log/aodh:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
@ -121,6 +121,7 @@ outputs:
file:
path: /var/log/containers/aodh
state: directory
setype: svirt_sandbox_file_t
- name: aodh logs readme
copy:
dest: /var/log/aodh/readme.txt

3
docker/services/ceilometer-agent-central.yaml
View File

@ -99,7 +99,7 @@ outputs:
user: root
command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer']
volumes:
- /var/log/containers/ceilometer:/var/log/ceilometer
- /var/log/containers/ceilometer:/var/log/ceilometer:z
step_4:
ceilometer_agent_central:
image: *ceilometer_agent_central_image
@ -142,6 +142,7 @@ outputs:
file:
path: /var/log/containers/ceilometer
state: directory
setype: svirt_sandbox_file_t
- name: ceilometer logs readme
copy:
dest: /var/log/ceilometer/readme.txt

3
docker/services/ceilometer-agent-ipmi.yaml
View File

@ -99,7 +99,7 @@ outputs:
user: root
command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer']
volumes:
- /var/log/containers/ceilometer:/var/log/ceilometer
- /var/log/containers/ceilometer:/var/log/ceilometer:z
step_4:
ceilometer_agent_ipmi:
image: *ceilometer_agent_ipmi_image
@ -121,6 +121,7 @@ outputs:
file:
path: /var/log/containers/ceilometer
state: directory
setype: svirt_sandbox_file_t
- name: ceilometer logs readme
copy:
dest: /var/log/ceilometer/readme.txt

3
docker/services/ceilometer-agent-notification.yaml
View File

@ -107,7 +107,7 @@ outputs:
user: root
command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer']
volumes:
- /var/log/containers/ceilometer:/var/log/ceilometer
- /var/log/containers/ceilometer:/var/log/ceilometer:z
step_4:
ceilometer_agent_notification:
image: *ceilometer_agent_notification_image
@ -138,6 +138,7 @@ outputs:
file:
path: /var/log/containers/ceilometer
state: directory
setype: svirt_sandbox_file_t
- name: ceilometer logs readme
copy:
dest: /var/log/ceilometer/readme.txt

11
docker/services/cinder-api.yaml
View File

@ -126,8 +126,8 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/cinder:/var/log/cinder
- /var/log/containers/httpd/cinder-api:/var/log/httpd
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
step_3:
cinder_api_db_sync:
@ -232,11 +232,12 @@ outputs:
host_prep_tasks:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/cinder
- /var/log/containers/httpd/cinder-api
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/cinder-api, 'setype': svirt_sandbox_file_t }
- name: cinder logs readme
copy:
dest: /var/log/cinder/readme.txt

7
docker/services/cinder-scheduler.yaml
View File

@ -108,7 +108,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/cinder:/var/log/cinder
- /var/log/containers/cinder:/var/log/cinder:z
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
step_4:
cinder_scheduler:
@ -137,10 +137,11 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/cinder
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t }
- name: cinder logs readme
copy:
dest: /var/log/cinder/readme.txt

9
docker/services/cinder-volume.yaml
View File

@ -157,7 +157,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/cinder:/var/log/cinder
- /var/log/containers/cinder:/var/log/cinder:z
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
step_4:
cinder_volume:
@ -181,11 +181,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/cinder
- /var/lib/cinder
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/cinder, 'setype': svirt_sandbox_file_t }
- name: cinder logs readme
copy:
dest: /var/log/cinder/readme.txt

11
docker/services/database/mysql.yaml
View File

@ -132,8 +132,8 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/mysql:/var/log/mariadb
- /var/lib/mysql:/var/lib/mysql
- /var/log/containers/mysql:/var/log/mariadb:z
- /var/lib/mysql:/var/lib/mysql:z
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
step_2:
mysql_bootstrap:
@ -232,11 +232,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/mysql
- /var/lib/mysql
- {'path':/var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- name: mysql logs readme
copy:
dest: /var/log/mariadb/readme.txt

12
docker/services/database/redis.yaml
View File

@ -109,7 +109,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/redis:/var/log/redis
- /var/log/containers/redis:/var/log/redis:z
command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
- redis:
start_order: 1
@ -124,8 +124,8 @@ outputs:
- /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
- /etc/localtime:/etc/localtime:ro
- /var/log/containers/redis:/var/log/redis
- /var/run/redis:/var/run/redis
- /var/log/containers/redis:/var/log/redis:z
- /var/run/redis:/var/run/redis:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- if:
@ -154,11 +154,11 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
with_items:
- /var/log/containers/redis
- /var/run/redis
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/run/redis, 'setype': container_var_run_t }
- name: redis logs readme
copy:
dest: /var/log/redis/readme.txt

4
docker/services/glance-api.yaml
View File

@ -15,6 +15,7 @@ parameters:
default:
tag: openstack.glance.api
path: /var/log/containers/glance/api.log
setype: svirt_sandbox_file_t
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@ -178,7 +179,7 @@ outputs:
- /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- /var/lib/glance:/var/lib/glance:slave
- /var/lib/glance:/var/lib/glance:z
-
if:
- cinder_backend_enabled
@ -233,6 +234,7 @@ outputs:
file:
path: /var/lib/glance
state: directory
setype: svirt_sandbox_file_t
upgrade_tasks:
- when: step|int == 0
tags: common

11
docker/services/gnocchi-api.yaml
View File

@ -148,8 +148,8 @@ outputs:
image: &gnocchi_api_image {get_param: DockerGnocchiApiImage}
user: root
volumes:
- /var/log/containers/gnocchi:/var/log/gnocchi
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi']
gnocchi_init_lib:
image: *gnocchi_api_image
@ -221,11 +221,12 @@ outputs:
host_prep_tasks:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/gnocchi
- /var/log/containers/httpd/gnocchi-api
- { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': svirt_sandbox_file_t }
- name: gnocchi logs readme
copy:
dest: /var/log/gnocchi/readme.txt

3
docker/services/gnocchi-metricd.yaml
View File

@ -130,7 +130,7 @@ outputs:
-
- /var/lib/kolla/config_files/gnocchi_metricd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/gnocchi:/var/log/gnocchi
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- str_replace:
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH
@ -142,6 +142,7 @@ outputs:
file:
path: /var/log/containers/gnocchi
state: directory
setype: svirt_sandbox_file_t
- name: gnocchi logs readme
copy:
dest: /var/log/gnocchi/readme.txt

3
docker/services/gnocchi-statsd.yaml
View File

@ -130,7 +130,7 @@ outputs:
-
- /var/lib/kolla/config_files/gnocchi_statsd.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/gnocchi:/var/log/gnocchi
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- str_replace:
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH
@ -142,6 +142,7 @@ outputs:
file:
path: /var/log/containers/gnocchi
state: directory
setype: svirt_sandbox_file_t
- name: gnocchi logs readme
copy:
dest: /var/log/gnocchi/readme.txt

21
docker/services/haproxy.yaml
View File

@ -155,17 +155,17 @@ outputs:
- ':'
- - {get_param: DeployedSSLCertificatePath}
- {get_param: DeployedSSLCertificatePath}
- 'ro'
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- 'ro,shared'
- null
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
@ -246,12 +246,12 @@ outputs:
- ''
- - /var/lib/kolla/config_files/src-tls/
- {get_param: DeployedSSLCertificatePath}
- 'ro'
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
@ -293,11 +293,12 @@ outputs:
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/haproxy
- /var/lib/haproxy
- { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
- name: haproxy logs readme
copy:
dest: /var/log/haproxy/readme.txt

11
docker/services/ironic-api.yaml
View File

@ -100,8 +100,8 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/ironic:/var/log/ironic
- /var/log/containers/httpd/ironic-api:/var/log/httpd
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic']
step_3:
ironic_db_sync:
@ -157,11 +157,12 @@ outputs:
host_prep_tasks:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/ironic
- /var/log/containers/httpd/ironic-api
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': svirt_sandbox_file_t }
- name: ironic logs readme
copy:
dest: /var/log/ironic/readme.txt

11
docker/services/ironic-conductor.yaml
View File

@ -188,18 +188,19 @@ outputs:
- /sys:/sys
- /dev:/dev
- /run:/run #shared?
- /var/lib/ironic:/var/lib/ironic:shared
- /var/log/containers/ironic:/var/log/ironic
- /var/lib/ironic:/var/lib/ironic:z
- /var/log/containers/ironic:/var/log/ironic:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/ironic
- /var/lib/ironic
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t }
- name: ironic logs readme
copy:
dest: /var/log/ironic/readme.txt

6
docker/services/ironic-inspector.yaml
View File

@ -89,8 +89,8 @@ outputs:
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerIronicInspectorConfigImage}
volumes:
- /var/lib/ironic:/var/lib/ironic:shared
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared
- /var/lib/ironic:/var/lib/ironic:z
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:z
kolla_config:
/var/lib/kolla/config_files/ironic_inspector.json:
command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf
@ -224,6 +224,7 @@ outputs:
file:
path: /var/log/containers/ironic-inspector
state: directory
setype: svirt_sandbox_file_t
- name: ironic-inspector logs readme
copy:
dest: /var/log/ironic-inspector/readme.txt
@ -235,6 +236,7 @@ outputs:
file:
path: /var/lib/ironic-inspector/dhcp-hostsdir
state: directory
setype: svirt_sandbox_file_t
upgrade_tasks:
- when: step|int == 0
tags: common

15
docker/services/ironic-pxe.yaml
View File

@ -132,10 +132,10 @@ outputs:
-
- /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro
- /var/lib/ironic:/var/lib/ironic/:shared
- /var/lib/ironic:/var/lib/ironic/:z
- /dev/log:/dev/log
- /var/log/containers/ironic:/var/log/ironic
- /var/log/containers/httpd/ironic-pxe:/var/log/httpd
- /var/log/containers/ironic:/var/log/ironic:z
- /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
ironic_pxe_http:
@ -158,12 +158,13 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/lib/ironic
- /var/log/containers/ironic
- /var/log/containers/httpd/ironic-pxe
- { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': svirt_sandbox_file_t }
- name: ironic logs readme
copy:
dest: /var/log/ironic/readme.txt

3
docker/services/iscsid.yaml
View File

@ -72,7 +72,7 @@ outputs:
# However, overcloud nodes must have a unique IQN. Allow full
# (write) access to /etc/iscsi so that puppet ensures the IQN
# is unique and is reset once, and only once.
- /etc/iscsi:/etc/iscsi
- /etc/iscsi:/etc/iscsi:z
kolla_config:
/var/lib/kolla/config_files/iscsid.json:
command: /usr/sbin/iscsid -f
@ -111,6 +111,7 @@ outputs:
file:
path: /etc/iscsi
state: directory
setype: svirt_sandbox_file_t
- name: stat /lib/systemd/system/iscsid.socket
stat: path=/lib/systemd/system/iscsid.socket
register: stat_iscsid_socket

5
docker/services/keepalived.yaml
View File

@ -98,9 +98,9 @@ outputs:
-
- /var/lib/kolla/config_files/keepalived.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keepalived/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/keepalived/:/var/log/
- /var/log/containers/keepalived/:/var/log/:z
- /lib/modules/:/lib/modules/:ro
- /var/lib/haproxy/:/var/lib/haproxy/
- /var/lib/haproxy/:/var/lib/haproxy/:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
command: /usr/local/bin/kolla_start
@ -109,6 +109,7 @@ outputs:
file:
path: /var/log/containers/keepalived
state: directory
setype: svirt_sandbox_file_t
- name: keepalived logs readme
copy:
dest: /var/log/keepalived-readme.txt

5
docker/services/logging/files/glance-api.yaml
View File

@ -32,10 +32,11 @@ outputs:
value:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/glance
- { 'path': /var/log/containers/glance, 'setype': svirt_sandbox_file_t }
- name: glance logs readme
copy:
dest: /var/log/glance/readme.txt

7
docker/services/logging/files/keystone.yaml
View File

@ -35,11 +35,12 @@ outputs:
value:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/keystone
- /var/log/containers/httpd/keystone
- { 'path': /var/log/containers/keystone, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/keystone, 'setype': svirt_sandbox_file_t }
- name: keystone logs readme
copy:
dest: /var/log/keystone/readme.txt

11
docker/services/logging/files/nova-api.yaml
View File

@ -15,8 +15,8 @@ outputs:
volumes:
description: The volumes needed to log to files in the host.
value: &nova_api_volumes
- /var/log/containers/nova:/var/log/nova
- /var/log/containers/httpd/nova-api:/var/log/httpd
- /var/log/containers/nova:/var/log/nova:z
- /var/log/containers/httpd/nova-api:/var/log/httpd:z
docker_config:
description: Extra containers needed for logging to files in the host.
value:
@ -33,11 +33,12 @@ outputs:
value:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
setype: "{{ item.setype }}"
state: directory
with_items:
- /var/log/containers/nova
- /var/log/containers/httpd/nova-api
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/nova-api, 'setype': svirt_sandbox_file_t }
- name: nova logs readme
copy:
dest: /var/log/nova/readme.txt

2
docker/services/logrotate-crond.yaml
View File

@ -99,6 +99,6 @@ outputs:
- /var/run/docker.sock:/var/run/docker.sock:rw
- /var/lib/kolla/config_files/logrotate-crond.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/crond/:/var/lib/kolla/config_files/src:ro
- /var/log/containers:/var/log/containers
- /var/log/containers:/var/log/containers:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

11
docker/services/messaging/notify-rabbitmq.yaml
View File

@ -127,7 +127,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
rabbitmq_bootstrap:
start_order: 1
@ -141,7 +141,7 @@ outputs:
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- internal_tls_enabled
@ -212,11 +212,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/rabbitmq
- /var/lib/rabbitmq
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- name: rabbitmq logs readme
copy:
dest: /var/log/rabbitmq/readme.txt

11
docker/services/messaging/rpc-rabbitmq.yaml
View File

@ -127,7 +127,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
rabbitmq_bootstrap:
start_order: 1
@ -141,7 +141,7 @@ outputs:
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- internal_tls_enabled
@ -212,11 +212,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/rabbitmq
- /var/lib/rabbitmq
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- name: rabbitmq logs readme
copy:
dest: /var/log/rabbitmq/readme.txt

3
docker/services/mistral-api.yaml
View File

@ -99,7 +99,7 @@ outputs:
privileged: false
user: root
volumes:
- /var/log/containers/mistral:/var/log/mistral
- /var/log/containers/mistral:/var/log/mistral:z
command: ['/bin/bash', '-c', 'chown -R mistral:mistral /var/log/mistral']
step_3:
mistral_db_sync:
@ -156,6 +156,7 @@ outputs:
file:
path: /var/log/containers/mistral
state: directory
setype: svirt_sandbox_file_t
- name: mistral logs readme
copy:
dest: /var/log/mistral/readme.txt

3
docker/services/mistral-engine.yaml
View File

@ -115,7 +115,7 @@ outputs:
- /run:/run
- /var/lib/kolla/config_files/mistral_engine.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/mistral:/var/log/mistral
- /var/log/containers/mistral:/var/log/mistral:z
- /var/lib/mistral:/var/lib/mistral:ro
- /usr/share/ansible/:/usr/share/ansible/:ro
- /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro
@ -126,6 +126,7 @@ outputs:
file:
path: /var/log/containers/mistral
state: directory
setype: svirt_sandbox_file_t
- name: mistral logs readme
copy:
dest: /var/log/mistral/readme.txt

3
docker/services/mistral-event-engine.yaml
View File

@ -115,7 +115,7 @@ outputs:
- /run:/run
- /var/lib/kolla/config_files/mistral_event_engine.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/mistral:/var/log/mistral
- /var/log/containers/mistral:/var/log/mistral:z
- /var/lib/mistral:/var/lib/mistral:ro
- /usr/share/ansible/:/usr/share/ansible/:ro
- /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro
@ -126,6 +126,7 @@ outputs:
file:
path: /var/log/containers/mistral
state: directory
setype: svirt_sandbox_file_t
- name: mistral logs readme
copy:
dest: /var/log/mistral/readme.txt

16
docker/services/mistral-executor.yaml
View File

@ -129,8 +129,8 @@ outputs:
- /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro
- /run:/run
- /var/run/docker.sock:/var/run/docker.sock:rw
- /var/log/containers/mistral:/var/log/mistral
- /var/lib/mistral:/var/lib/mistral
- /var/log/containers/mistral:/var/log/mistral:z
- /var/lib/mistral:/var/lib/mistral:z
- /usr/share/ansible/:/usr/share/ansible/:ro
- /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro
- {get_param: MistralExecutorVolumes}
@ -138,14 +138,14 @@ outputs:
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:
- name: create /var/lib/mistral directory
- name: create persistent data directory
file:
path: /var/lib/mistral
state: directory
- name: create persistent logs directory
file:
path: /var/log/containers/mistral
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/mistral, 'setype': svirt_sandbox_file_t }
- name: mistral logs readme
copy:
dest: /var/log/mistral/readme.txt

5
docker/services/neutron-dhcp.yaml
View File

@ -173,8 +173,8 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
-
- /run/openvswitch:/run/openvswitch
- /var/lib/neutron:/var/lib/neutron
- /run/openvswitch:/run/openvswitch:z
- /var/lib/neutron:/var/lib/neutron:z
step_4:
neutron_dhcp:
start_order: 10
@ -237,6 +237,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
upgrade_tasks:
- when: step|int == 0
tags: common

5
docker/services/neutron-l3.yaml
View File

@ -172,8 +172,8 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
-
- /run/openvswitch:/run/openvswitch
- /var/lib/neutron:/var/lib/neutron
- /run/openvswitch:/run/openvswitch:z
- /var/lib/neutron:/var/lib/neutron:z
step_4:
neutron_l3_agent:
start_order: 10
@ -235,6 +235,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
upgrade_tasks:
- when: step|int == 0
tags: common

3
docker/services/neutron-metadata.yaml
View File

@ -131,7 +131,7 @@ outputs:
- /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /var/lib/neutron:/var/lib/neutron
- /var/lib/neutron:/var/lib/neutron:z
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
@ -143,6 +143,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
upgrade_tasks:
- when: step|int == 0
tags: common

2
docker/services/neutron-ovs-agent.yaml
View File

@ -101,7 +101,7 @@ outputs:
# on the unix domain socket - /run/openvswitch/db.sock
volumes:
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch
- /run/openvswitch:/run/openvswitch:z
kolla_config:
/var/lib/kolla/config_files/neutron_ovs_agent.json:
command: /neutron_ovs_agent_launcher.sh

2
docker/services/nova-api.yaml
View File

@ -243,7 +243,6 @@ outputs:
-
- /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/docker-config-scripts/nova_api_ensure_default_cell.sh:/nova_api_ensure_default_cell.sh:ro
user: root
command: "/usr/bin/bootstrap_host_exec nova_api /nova_api_ensure_default_cell.sh"
@ -311,7 +310,6 @@ outputs:
-
- /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro
- /var/log/containers/nova:/var/log/nova
- /var/lib/docker-config-scripts/nova_api_discover_hosts.sh:/nova_api_discover_hosts.sh:ro
user: root
command: "/usr/bin/bootstrap_host_exec nova_api /nova_api_discover_hosts.sh"

9
docker/services/nova-ironic.yaml
View File

@ -111,7 +111,7 @@ outputs:
privileged: false
detach: false
volumes:
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/nova:/var/lib/nova:z
- /var/lib/docker-config-scripts/:/docker-config-scripts/
command: "/docker-config-scripts/nova_statedir_ownership.py"
step_5:
@ -146,11 +146,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/nova
- /var/lib/nova
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- name: nova logs readme
copy:
dest: /var/log/nova/readme.txt

2
docker/services/novajoin.yaml
View File

@ -182,7 +182,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/novajoin_server.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/novajoin/etc/novajoin/join.conf:/etc/novajoin/join.conf:Z
- /var/lib/config-data/novajoin/etc/novajoin/join.conf:/etc/novajoin/join.conf:z
- /etc/ipa/:/etc/ipa/:ro
- /etc/novajoin/krb5.keytab:/etc/novajoin/krb5.keytab:ro
environment:

11
docker/services/pacemaker/database/mysql.yaml
View File

@ -178,7 +178,7 @@ outputs:
# Kolla does only non-recursive chown
command: ['chown', '-R', 'mysql:', '/var/lib/mysql']
volumes:
- /var/lib/mysql:/var/lib/mysql
- /var/lib/mysql:/var/lib/mysql:z
mysql_bootstrap:
start_order: 1
detach: false
@ -294,7 +294,7 @@ outputs:
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
- /dev/shm:/dev/shm:rw
- /var/lib/mysql:/var/lib/mysql:rw
- /var/lib/mysql:/var/lib/mysql:rw,z
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
@ -305,11 +305,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/mysql
- /var/lib/mysql
- {'path':/var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- name: mysql logs readme
copy:
dest: /var/log/mariadb/readme.txt

5
docker/services/pacemaker/haproxy.yaml
View File

@ -299,10 +299,11 @@ outputs:
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/lib/haproxy
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
metadata_settings:
get_attr: [HAProxyBase, role_data, metadata_settings]
update_tasks:

7
docker/services/swift-proxy.yaml
View File

@ -242,11 +242,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /srv/node
- /var/log/swift
- { 'path': /srv/node, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t }
- name: Create swift logging symlink
file:
src: /var/log/swift

2
docker/services/swift-ringbuilder.yaml
View File

@ -113,5 +113,5 @@ outputs:
- '-c'
- 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
volumes:
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw,z
- /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro

23
docker/services/swift-storage.yaml
View File

@ -208,7 +208,7 @@ outputs:
user: root
command: ['chown', '-R', 'swift:', '/srv/node']
volumes:
- /srv/node:/srv/node
- /srv/node:/srv/node:z
# FIXME (cschwede): remove this once the pid file setting is disabled
swift_rsync_fix:
image: {get_param: DockerSwiftObjectImage}
@ -217,7 +217,7 @@ outputs:
detach: false
command: ['/bin/bash', '-c', 'sed -i "/pid file/d" /var/lib/kolla/config_files/src/etc/rsyncd.conf']
volumes:
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:rw
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:rw,z
step_4:
swift_account_auditor:
image: *swift_account_image
@ -230,9 +230,9 @@ outputs:
-
- /var/lib/kolla/config_files/swift_account_auditor.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
- /srv/node:/srv/node
- /srv/node:/srv/node:z
- /dev:/dev
- /var/cache/swift:/var/cache/swift
- /var/cache/swift:/var/cache/swift:z
environment: &kolla_env
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
swift_account_reaper:
@ -246,9 +246,9 @@ outputs:
-
- /var/lib/kolla/config_files/swift_account_reaper.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro
- /srv/node:/srv/node
- /srv/node:/srv/node:z
- /dev:/dev
- /var/cache/swift:/var/cache/swift
- /var/cache/swift:/var/cache/swift:z
environment: *kolla_env
swift_account_replicator:
image: *swift_account_image
@ -441,13 +441,14 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /srv/node
- /var/cache/swift
- /var/log/swift
- /var/log/containers
- { 'path': /srv/node, 'setype': svirt_sandbox_file_t }
- { 'path': /var/cache/swift, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers, 'setype': svirt_sandbox_file_t }
- name: Set swift_use_local_disks fact
set_fact:
swift_use_local_disks: {get_param: SwiftUseLocalDir}