Move the haproxy iptables rules creation to host_prep_tasks

The reason for this is that under deploy_tasks they won't be run during an update (until the converge command is run). This is problematic because in a composable HA being updated the haproxy firewall rules might disappear due to other tasks cleaning the rules up and they won't be recreated until converge. The problem is that that the temporary containers will run during the minor update and try to access the db which is now effectively firewalled off. Historically this was at step 2, because haproxy was configured during that step. Nothing should prevent us from creating the rules before and that is what we do for the non-haproxy rules too anyway. While moving it we need to take out the code from ::tripleo::profile::base::haproxy and use it directly because we do not have the required 'step' variable set in host_prep_tasks and silly puppet has now way of passing a hiera value on the command line (or via other simple means) Tested as follows: 1) Deployed a fresh Train environment with this patch and correctly observed the haproxy fw rules: [root@controller-0 ~]# iptables -nvL INPUT |grep _haproxy |wc -l 27 2) Ran a minor update of controller-2, controller-1 and controller-0 (in that order) and verified that afterwards all _haproxy rules are in place *before* the converge. 3) Confirmed that in the minor update logs we do see the step where haproxy rules are enforced (previously this was not the case): $ grep 'Run puppet on the host to apply IPtables rules' update-controller-2.log TASK [Run puppet on the host to apply IPtables rules] ************************** 4) Run a full minor update + converge of a composable HA environment NB: Cherry-pick not 100% clean due to context Closes-Bug: #1871646 Change-Id: Icba8a8292d1e2675c7da3513d00a4a0f4191747e (cherry picked from commit 6220fe1bd3)
2020-04-07 18:00:13 +02:00 · 2020-04-07 18:00:13 +02:00 · 6c04309a35
parent 5323f2033e
commit 6c04309a35
1 changed files with 21 additions and 22 deletions
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@ -308,6 +308,27 @@ outputs:
            - { 'path': /var/log/containers/haproxy, 'setype': var_log_t, 'mode': '0750' }
            - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
            - { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t }
+        - name: Run puppet on the host to apply IPtables rules
+          shell: |
+            set +e
+            puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
+                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
+            rc=$?
+            set -e
+            set +ux
+            if [ $rc -eq 2 -o $rc -eq 0 ]; then
+                exit 0
+            fi
+            exit $rc
+          vars:
+            puppet_execute: "if hiera('enable_load_balancer', true) { class {'::tripleo::haproxy': use_internal_certificates => false, manage_firewall => hiera('tripleo::firewall::manage_firewall', true), }}"
+            puppet_tags: tripleo::firewall::rule
+            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
+            puppet_debug:
+              if:
+                - puppet_debug_enabled
+                - '--debug --verbose'
+                - ''
      metadata_settings:
        {get_attr: [HAProxyBase, role_data, metadata_settings]}
      deploy_steps_tasks:
@ -343,28 +364,6 @@ outputs:
          vars:
            container_image: {get_param: ContainerHAProxyImage}
            container_image_latest: *haproxy_image_pcmklatest
-        - name: Run puppet on the host to apply IPtables rules
-          when: step|int == 2
-          shell: |
-            set +e
-            puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
-                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
-            rc=$?
-            set -e
-            set +ux
-            if [ $rc -eq 2 -o $rc -eq 0 ]; then
-                exit 0
-            fi
-            exit $rc
-          vars:
-            puppet_execute: include ::tripleo::profile::base::haproxy
-            puppet_tags: tripleo::firewall::rule
-            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
-            puppet_debug:
-              if:
-                - puppet_debug_enabled
-                - '--debug --verbose'
-                - ''
      update_tasks:
        - name: Set HAProxy upgrade facts
          block: &haproxy_update_upgrade_facts