Allow a containerized mistral-executor to access docker

This is required for a containerized undercloud to perform workflow
driven container image prepare during overcloud deployment.

This moves the MistralDockerGroup parameter out of mistral-base since
this is only required for the executor.

Further changes will be needed to puppet-tripleo to use 'group' and
'user' instead of ensure_resource, and also to ensure that the created
docker group inside the executor container has the same gid as the
docker group on the host, but these can depend on this change for
testing.

Change-Id: I429c72c0334a177d1ec37c3d9c13b7ba983de734
Blueprint: container-prepare-workflow
This commit is contained in:
Steve Baker 2018-06-15 14:24:41 +12:00
parent a3d5dd0fb5
commit 9104980524
3 changed files with 11 additions and 7 deletions

View File

@ -74,13 +74,15 @@ outputs:
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: mistral
puppet_tags: mistral_config
puppet_tags: mistral_config,user,group
step_config:
list_join:
- "\n"
- - {get_attr: [MistralBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerMistralConfigImage}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:rw
kolla_config:
/var/lib/kolla/config_files/mistral_executor.json:
command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor
@ -115,6 +117,7 @@ outputs:
# FIXME: this is required in order for Nova cells
# initialization workflows on the Undercloud. Need to
# exclude this on the overcloud for security reasons.
- /var/run/docker.sock:/var/run/docker.sock:rw
- /var/lib/config-data/nova/etc/nova:/etc/nova:ro
- /var/log/containers/mistral:/var/log/mistral
- /var/lib/mistral:/var/lib/mistral

View File

@ -45,10 +45,6 @@ parameters:
description: The password for the Mistral service and db account, used by the Mistral services.
type: string
hidden: true
MistralDockerGroup:
default: false
description: Add the mistral user to the docker group to allow actions to perform docker operations.
type: boolean
KeystoneRegion:
type: string
default: 'regionOne'
@ -121,7 +117,6 @@ outputs:
- ''
- - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
- '/ec2tokens'
tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup}
service_config_settings:
keystone:
mistral::keystone::auth::tenant: 'service'

View File

@ -30,6 +30,10 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
MistralDockerGroup:
default: false
description: Add the mistral user to the docker group to allow actions to perform docker operations.
type: boolean
resources:
MistralBase:
@ -48,7 +52,9 @@ outputs:
value:
service_name: mistral_executor
config_settings:
get_attr: [MistralBase, role_data, config_settings]
map_merge:
- get_attr: [MistralBase, role_data, config_settings]
- tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup}
step_config: |
include ::tripleo::profile::base::mistral::executor
upgrade_tasks: