openstack
/
tripleo-heat-templates
Code Issues Proposed changes

docker-puppet.py: only create docker-puppet.sh when it doesn't exist 

In docker-puppet.py, we only create docker-puppet.sh script if it
doesn't exist yet. It's not useful to re-create it and it can be
dangerous to regenerate the script while docker-puppet.py is running,
since we bind mount the script to the containers.
It's possible that during a multi-process task, the script changes and
then the entrypoint fails to run correctly if the interpreter is not
present in the script.

This patch makes sure that we create the script only when needed, and
also that we remove it before running docker-puppet.py, which will be
useful when doing clean deployments or upgrades.

Context: https://github.com/containers/libpod/issues/1844
Change-Id: I0ac69adb47f59a9ca82764b5537532014a782913
This commit is contained in:
Emilien Macchi 2019-01-08 21:47:00 -05:00
parent d71c8b4aaa
commit d8ee4b9e73
2 changed files with 120 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
common/deploy-steps-tasks.yaml
View File

@ -121,6 +121,15 @@
- container_config - container_config
- container_config_tasks - container_config_tasks
- name: Delete existing /var/lib/docker-puppet/docker-puppet.sh
file:
path: /var/lib/docker-puppet/docker-puppet.sh
state: absent
tags:
- container_config
ignore_errors: true
check_mode: no
- name: Delete existing /var/lib/docker-puppet/check-mode for check mode - name: Delete existing /var/lib/docker-puppet/check-mode for check mode
file: file:
path: /var/lib/docker-puppet/check-mode path: /var/lib/docker-puppet/check-mode

221
docker/docker-puppet.py
View File

@ -257,118 +257,119 @@ for service in (json_data or []):
log.info('Service compilation completed.') log.info('Service compilation completed.')
with open(sh_script, 'w') as script_file: if not os.path.exists(sh_script):
os.chmod(script_file.name, 0o755) with open(sh_script, 'w') as script_file:
script_file.write("""#!/bin/bash os.chmod(script_file.name, 0o755)
set -ex script_file.write("""#!/bin/bash
mkdir -p /etc/puppet set -ex
cp -dR /tmp/puppet-etc/* /etc/puppet mkdir -p /etc/puppet
rm -Rf /etc/puppet/ssl # not in use and causes permission errors cp -dR /tmp/puppet-etc/* /etc/puppet
echo "{\\"step\\": $STEP}" > /etc/puppet/hieradata/docker_puppet.json rm -Rf /etc/puppet/ssl # not in use and causes permission errors
TAGS="" echo "{\\"step\\": $STEP}" > /etc/puppet/hieradata/docker_puppet.json
if [ -n "$PUPPET_TAGS" ]; then TAGS=""
TAGS="--tags \"$PUPPET_TAGS\"" if [ -n "$PUPPET_TAGS" ]; then
fi TAGS="--tags \"$PUPPET_TAGS\""
CHECK_MODE=""
if [ -d "/tmp/puppet-check-mode" ]; then
mkdir -p /etc/puppet/check-mode
cp -a /tmp/puppet-check-mode/* /etc/puppet/check-mode
CHECK_MODE="--hiera_config /etc/puppet/check-mode/hiera.yaml"
fi
# Create a reference timestamp to easily find all files touched by
# puppet. The sync ensures we get all the files we want due to
# different timestamp.
origin_of_time=/var/lib/config-data/${NAME}.origin_of_time
touch $origin_of_time
sync
export NET_HOST="${NET_HOST:-false}"
set +e
if [ "$NET_HOST" == "false" ]; then
export FACTER_hostname=$HOSTNAME
fi
# $::deployment_type in puppet-tripleo
export FACTER_deployment_type=containers
export FACTER_uuid=$(cat /sys/class/dmi/id/product_uuid | tr '[:upper:]' '[:lower:]')
/usr/bin/puppet apply --summarize \
--detailed-exitcodes \
--color=false \
--logdest syslog \
--logdest console \
--modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules \
$TAGS \
$CHECK_MODE \
/etc/config.pp
rc=$?
set -e
if [ $rc -ne 2 -a $rc -ne 0 ]; then
exit $rc
fi
# Disables archiving
if [ -z "$NO_ARCHIVE" ]; then
archivedirs=("/etc" "/root" "/opt" "/var/lib/ironic/tftpboot" "/var/lib/ironic/httpboot" "/var/www" "/var/spool/cron" "/var/lib/nova/.ssh")
rsync_srcs=""
for d in "${archivedirs[@]}"; do
if [ -d "$d" ]; then
rsync_srcs+=" $d"
fi
done
# On stack update, if a password was changed in a config file,
# some services (e.g. mysql) must change their internal state
# (e.g. password in mysql DB) when paunch restarts them; and
# they need the old password to achieve that.
# For those services, we update the config hash to notify
# paunch that a restart is needed, but we do not update the
# password file in docker-puppet and let the service
# regenerate it instead.
action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
if [ "x$action" = "xUPDATE" ];then
password_files="/root/.my.cnf"
else
password_files=""
fi fi
exclude_files="" CHECK_MODE=""
for p in $password_files; do if [ -d "/tmp/puppet-check-mode" ]; then
exclude_files+=" --exclude=$p" mkdir -p /etc/puppet/check-mode
done cp -a /tmp/puppet-check-mode/* /etc/puppet/check-mode
rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME} CHECK_MODE="--hiera_config /etc/puppet/check-mode/hiera.yaml"
fi
# Also make a copy of files modified during puppet run # Create a reference timestamp to easily find all files touched by
# This is useful for debugging # puppet. The sync ensures we get all the files we want due to
echo "Gathering files modified after $(stat -c '%y' $origin_of_time)" # different timestamp.
mkdir -p /var/lib/config-data/puppet-generated/${NAME} origin_of_time=/var/lib/config-data/${NAME}.origin_of_time
rsync -a -R -0 --delay-updates --delete-after $exclude_files \ touch $origin_of_time
--files-from=<(find $rsync_srcs -newer $origin_of_time -not -path '/etc/puppet*' -print0) \ sync
/ /var/lib/config-data/puppet-generated/${NAME}
export NET_HOST="${NET_HOST:-false}"
# Write a checksum of the config-data dir, this is used as a set +e
# salt to trigger container restart when the config changes if [ "$NET_HOST" == "false" ]; then
# note: while being excluded from the output, password files export FACTER_hostname=$HOSTNAME
# are still included in checksum computation fi
additional_checksum_files="" # $::deployment_type in puppet-tripleo
for p in $password_files; do export FACTER_deployment_type=containers
if [ -f "$p" ]; then export FACTER_uuid=$(cat /sys/class/dmi/id/product_uuid | tr '[:upper:]' '[:lower:]')
additional_checksum_files+=" $p" /usr/bin/puppet apply --summarize \
--detailed-exitcodes \
--color=false \
--logdest syslog \
--logdest console \
--modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules \
$TAGS \
$CHECK_MODE \
/etc/config.pp
rc=$?
set -e
if [ $rc -ne 2 -a $rc -ne 0 ]; then
exit $rc
fi
# Disables archiving
if [ -z "$NO_ARCHIVE" ]; then
archivedirs=("/etc" "/root" "/opt" "/var/lib/ironic/tftpboot" "/var/lib/ironic/httpboot" "/var/www" "/var/spool/cron" "/var/lib/nova/.ssh")
rsync_srcs=""
for d in "${archivedirs[@]}"; do
if [ -d "$d" ]; then
rsync_srcs+=" $d"
fi
done
# On stack update, if a password was changed in a config file,
# some services (e.g. mysql) must change their internal state
# (e.g. password in mysql DB) when paunch restarts them; and
# they need the old password to achieve that.
# For those services, we update the config hash to notify
# paunch that a restart is needed, but we do not update the
# password file in docker-puppet and let the service
# regenerate it instead.
action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
if [ "x$action" = "xUPDATE" ];then
password_files="/root/.my.cnf"
else
password_files=""
fi fi
done
# We need to exclude the swift rings and their backup as those change over time and exclude_files=""
# containers do not need to restart if they change for p in $password_files; do
EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db' exclude_files+=" --exclude=$p"
# We need to repipe the tar command through 'tar xO' to force text done
# output because otherwise the sed command cannot work. The sed is rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME}
# needed because puppet puts timestamps as comments in cron and
# parsedfile resources, hence triggering a change at every redeploy
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} $additional_checksum_files | tar xO | \ # Also make a copy of files modified during puppet run
sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum # This is useful for debugging
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} $additional_checksum_files --mtime='1970-01-01' | tar xO \ echo "Gathering files modified after $(stat -c '%y' $origin_of_time)"
| sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/puppet-generated/${NAME}.md5sum mkdir -p /var/lib/config-data/puppet-generated/${NAME}
fi rsync -a -R -0 --delay-updates --delete-after $exclude_files \
""") --files-from=<(find $rsync_srcs -newer $origin_of_time -not -path '/etc/puppet*' -print0) \
/ /var/lib/config-data/puppet-generated/${NAME}
# Write a checksum of the config-data dir, this is used as a
# salt to trigger container restart when the config changes
# note: while being excluded from the output, password files
# are still included in checksum computation
additional_checksum_files=""
for p in $password_files; do
if [ -f "$p" ]; then
additional_checksum_files+=" $p"
fi
done
# We need to exclude the swift rings and their backup as those change over time and
# containers do not need to restart if they change
EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'
# We need to repipe the tar command through 'tar xO' to force text
# output because otherwise the sed command cannot work. The sed is
# needed because puppet puts timestamps as comments in cron and
# parsedfile resources, hence triggering a change at every redeploy
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} $additional_checksum_files | tar xO | \
sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} $additional_checksum_files --mtime='1970-01-01' | tar xO \
| sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/puppet-generated/${NAME}.md5sum
fi
""")