From ca041e2c41e8468ad086cff7582c3f399df8742b Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Thu, 17 Jan 2019 13:52:16 +0100 Subject: [PATCH] haproxy: deploy IPtables rules from the host MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Calling iptables CLI in the container requires advanced and risky bind-mounts, and on certain platform, iptables-save can't be found (e.g. fedora28 containers). This patch simplifies the firewall step for HAproxy container configuration where we now run Puppet on the host instead of from the container. Note: we can't use the puppet module in Ansible yet because we need Ansible 2.7.6 which has: https://github.com/ansible/ansible/commit/8606fb33f0e8954b588eaecec2d99b4a120fd4ad In the meantime, we use shell. Co-Authored-By: Damien Ciabrini Co-Authored-By: Emilien Macchi Co-Authored-By: Cédric Jeanneret Change-Id: Ia66db8e4ab0ccec7cc86665e2ad32d2861fe30c8 --- docker/services/haproxy.yaml | 61 +++++++++++--------------- docker/services/pacemaker/haproxy.yaml | 25 ++++++++++- 2 files changed, 49 insertions(+), 37 deletions(-) diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 7e0b8cc7f4..a05399f51f 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -201,42 +201,7 @@ outputs: step_1: map_merge: - get_attr: [HAProxyLogging, docker_config, step_1] - - haproxy_firewall: - start_order: 1 - detach: false - image: {get_param: DockerHAProxyImage} - net: host - user: root - privileged: true - command: # '/docker_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"' - list_concat: - - - '/docker_puppet_apply.sh' - - '1' - - 'tripleo::firewall::rule' - - {get_attr: [HAProxyBase, role_data, step_config]} - - if: - - puppet_debug_enabled - - - '--debug --verbose' - - - '' - volumes: - list_concat: - - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro - # puppet saves iptables rules in /etc/sysconfig - - /etc/sysconfig:/etc/sysconfig:rw - # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount - # the necessary bit and prevent systemd to try to reload the service in the container - - /usr/libexec/iptables:/usr/libexec/iptables:ro - - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro - - /var/lib/haproxy:/var/lib/haproxy:rw,z - # Needed in order to call system iptables in order to ensure - # we have kernel compatible modules - # See https://bugzilla.redhat.com/show_bug.cgi?id=1665598 - - /lib/modules:/lib/modules:ro - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - haproxy: + - haproxy: start_order: 1 image: {get_param: DockerHAProxyImage} net: host @@ -273,6 +238,30 @@ outputs: - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + deploy_steps_tasks: + - name: Run puppet on the host to apply IPtables rules + when: step|int == 1 + shell: | + set +e + export FACTER_step=1 + puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \ + --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }} + rc=$? + set -e + set +ux + if [ $rc -eq 2 -o $rc -eq 0 ]; then + exit 0 + fi + exit $rc + vars: + puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]} + puppet_tags: 'tripleo::firewall::rule' + puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules' + puppet_debug: + if: + - puppet_debug_enabled + - '--debug --verbose' + - '' upgrade_tasks: - name: ensure we have haproxy log dir with the correct setype file: diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 43723b9b2e..f7d9ea926c 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -264,7 +264,7 @@ outputs: list_concat: - - '/docker_puppet_apply.sh' - '2' - - 'file,file_line,concat,augeas,tripleo::firewall::rule,pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' + - 'file,file_line,concat,augeas,pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation' - 'include ::tripleo::profile::base::pacemaker; include ::tripleo::profile::pacemaker::haproxy_bundle' - if: - puppet_debug_enabled @@ -342,6 +342,29 @@ outputs: vars: container_image: {get_param: DockerHAProxyImage} container_image_latest: *haproxy_image_pcmklatest + - name: Run puppet on the host to apply IPtables rules + when: step|int == 2 + shell: | + set +e + export FACTER_step=2 + puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \ + --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }} + rc=$? + set -e + set +ux + if [ $rc -eq 2 -o $rc -eq 0 ]; then + exit 0 + fi + exit $rc + vars: + puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]} + puppet_tags: 'tripleo::firewall::rule' + puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules' + puppet_debug: + if: + - puppet_debug_enabled + - '--debug --verbose' + - '' update_tasks: - name: Set HAProxy upgrade facts block: &haproxy_update_upgrade_facts