Allow a containerized mistral-executor to access docker

This is required for a containerized undercloud to perform workflow driven container image prepare during overcloud deployment. This moves the MistralDockerGroup parameter out of mistral-base since this is only required for the executor. Further changes will be needed to puppet-tripleo to use 'group' and 'user' instead of ensure_resource, and also to ensure that the created docker group inside the executor container has the same gid as the docker group on the host, but these can depend on this change for testing. Change-Id: I429c72c0334a177d1ec37c3d9c13b7ba983de734 Blueprint: container-prepare-workflow
2018-06-15 14:24:41 +12:00 · 2018-06-15 14:24:41 +12:00 · 9104980524
commit 9104980524
parent a3d5dd0fb5
3 changed files with 11 additions and 7 deletions
--- a/docker/services/mistral-executor.yaml
+++ b/docker/services/mistral-executor.yaml
@ -74,13 +74,15 @@ outputs:
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: mistral
-        puppet_tags: mistral_config
+        puppet_tags: mistral_config,user,group
        step_config:
          list_join:
            - "\n"
            - - {get_attr: [MistralBase, role_data, step_config]}
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: DockerMistralConfigImage}
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock:rw
      kolla_config:
        /var/lib/kolla/config_files/mistral_executor.json:
          command: /usr/bin/mistral-server --config-file=/etc/mistral/mistral.conf --log-file=/var/log/mistral/executor.log --server=executor
@ -115,6 +117,7 @@ outputs:
                  # FIXME: this is required in order for Nova cells
                  # initialization workflows on the Undercloud. Need to
                  # exclude this on the overcloud for security reasons.
+                  - /var/run/docker.sock:/var/run/docker.sock:rw
                  - /var/lib/config-data/nova/etc/nova:/etc/nova:ro
                  - /var/log/containers/mistral:/var/log/mistral
                  - /var/lib/mistral:/var/lib/mistral
--- a/puppet/services/mistral-base.yaml
+++ b/puppet/services/mistral-base.yaml
@ -45,10 +45,6 @@ parameters:
    description: The password for the Mistral service and db account, used by the Mistral services.
    type: string
    hidden: true
-  MistralDockerGroup:
-    default: false
-    description: Add the mistral user to the docker group to allow actions to perform docker operations.
-    type: boolean
  KeystoneRegion:
    type: string
    default: 'regionOne'
@ -121,7 +117,6 @@ outputs:
          - ''
          - - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
            - '/ec2tokens'
-        tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup}
      service_config_settings:
        keystone:
          mistral::keystone::auth::tenant: 'service'
--- a/puppet/services/mistral-executor.yaml
+++ b/puppet/services/mistral-executor.yaml
@ -30,6 +30,10 @@ parameters:
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
+  MistralDockerGroup:
+    default: false
+    description: Add the mistral user to the docker group to allow actions to perform docker operations.
+    type: boolean

 resources:
  MistralBase:
@ -48,7 +52,9 @@ outputs:
    value:
      service_name: mistral_executor
      config_settings:
-        get_attr: [MistralBase, role_data, config_settings]
+        map_merge:
+          - get_attr: [MistralBase, role_data, config_settings]
+          - tripleo::profile::base::mistral::executor::docker_group: {get_param: MistralDockerGroup}
      step_config: |
        include ::tripleo::profile::base::mistral::executor
      upgrade_tasks: