heat_template_version: queens description: > OpenStack containerized Horizon service parameters: DockerHorizonImage: description: image type: string DockerHorizonConfigImage: description: The container image to use for the horizon config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainersCommon: type: ./containers-common.yaml HorizonBase: type: ../../puppet/services/horizon.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Horizon API role. value: service_name: {get_attr: [HorizonBase, role_data, service_name]} config_settings: map_merge: - get_attr: [HorizonBase, role_data, config_settings] - horizon::secure_cookies: false logging_source: {get_attr: [HorizonBase, role_data, logging_source]} logging_groups: {get_attr: [HorizonBase, role_data, logging_groups]} service_config_settings: {get_attr: [HorizonBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon puppet_tags: horizon_config step_config: {get_attr: [HorizonBase, role_data, step_config]} config_image: {get_param: DockerHorizonConfigImage} kolla_config: /var/lib/kolla/config_files/horizon.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/horizon/ owner: apache:apache recurse: true # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to # horizon:horizon - the policy.json files need read permissions for the apache user # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead - path: /etc/openstack-dashboard/ owner: apache:apache recurse: true # FIXME Apache tries to write a .lock file there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/ owner: apache:apache recurse: false # FIXME Our theme settings are there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/ owner: apache:apache recurse: false docker_config: step_2: horizon_fix_perms: image: &horizon_image {get_param: DockerHorizonImage} user: root # NOTE Set ownership for /var/log/horizon/horizon.log file here, # otherwise it's created by root when generating django cache. # FIXME Apache needs to read files in /etc/openstack-dashboard # Need to set permissions to match the BM case, # http://paste.openstack.org/show/609819/ command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - /var/log/containers/horizon:/var/log/horizon - /var/log/containers/httpd/horizon:/var/log/httpd - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard step_3: horizon: image: *horizon_image net: host privileged: false restart: always volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon - /var/log/containers/httpd/horizon:/var/log/httpd - if: - internal_tls_enabled - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - '' - if: - internal_tls_enabled - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS # Installed plugins: - ENABLE_CLOUDKITTY=yes - ENABLE_IRONIC=yes - ENABLE_MAGNUM=yes - ENABLE_MANILA=yes - ENABLE_MURANO=yes - ENABLE_MISTRAL=yes - ENABLE_NEUTRON_LBAAS=yes - ENABLE_SAHARA=yes - ENABLE_TROVE=yes # Not installed: - ENABLE_FREEZER=no - ENABLE_FWAAS=no - ENABLE_KARBOR=no - ENABLE_DESIGNATE=no - ENABLE_SEARCHLIGHT=no - ENABLE_SENLIN=no - ENABLE_SOLUM=no - ENABLE_TACKER=no - ENABLE_WATCHER=no - ENABLE_ZAQAR=no - ENABLE_ZUN=no host_prep_tasks: - name: create persistent logs directory file: path: "{{ item }}" state: directory with_items: - /var/log/containers/horizon - /var/log/containers/httpd/horizon - name: horizon logs readme copy: dest: /var/log/horizon/readme.txt content: | Log files from horizon containers can be found under /var/log/containers/horizon and /var/log/containers/httpd/horizon. ignore_errors: true upgrade_tasks: - name: Check for horizon running under apache tags: common shell: "httpd -t -D DUMP_VHOSTS | grep -q horizon_vhost" ignore_errors: True register: httpd_enabled - name: "PreUpgrade step0,validation: Check if horizon is running" shell: systemctl is-active --quiet httpd when: - step|int == 0 - httpd_enabled.rc == 0 tags: validation - name: Stop and disable horizon service (running under httpd) when: - step|int == 2 - httpd_enabled.rc == 0 service: name=httpd state=stopped enabled=no metadata_settings: get_attr: [HorizonBase, role_data, metadata_settings]