heat_template_version: rocky description: > OpenStack containerized Cinder API service parameters: ContainerCinderApiImage: description: image type: string ContainerCinderConfigImage: description: The container image to use for the cinder config_volume type: string CinderApiLoggingSource: type: json default: tag: openstack.cinder.api file: /var/log/containers/cinder/cinder-api.log EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. EnableInternalTLS: type: boolean default: false CinderDefaultVolumeType: default: tripleo description: The name of Cinder's default volume type. type: string CinderEnableDBPurge: default: true description: | Whether to create cron job for purging soft deleted rows in Cinder database. type: boolean CinderPassword: description: The password for the cinder service and db account. type: string hidden: true KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionCinderApi: default: 'overcloud-cinder-api' type: string CinderWorkers: type: string description: Set the number of workers for cinder::wsgi::apache default: '%{::os_workers}' CinderApiPolicies: description: | A hash of policies to configure for Cinder API. e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json CinderApiWsgiTimeout: default: 60 description: The number of seconds until a Cinder API WSGI connection times out. type: number NotificationDriver: type: comma_delimited_list default: 'noop' description: Driver or drivers to handle sending notifications. RootStackName: description: The name of the stack/plan. type: string conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]} resources: ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../database/mysql-client.yaml CinderBase: type: ./cinder-base.yaml properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} CinderCommon: type: ./cinder-common-container-puppet.yaml ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: description: Role data for the Cinder API role. value: service_name: cinder_api firewall_rules: '119 cinder': dport: - 8776 - 13776 keystone_resources: cinder: users: cinder: password: {get_param: CinderPassword} roles: - admin - service cinderv3: endpoints: public: {get_param: [EndpointMap, CinderV3Public, uri]} internal: {get_param: [EndpointMap, CinderV3Internal, uri]} admin: {get_param: [EndpointMap, CinderV3Admin, uri]} users: cinderv3: password: {get_param: CinderPassword} roles: - admin - service region: {get_param: KeystoneRegion} service: 'volumev3' monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi} config_settings: map_merge: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - keystone_resources_managed: false - cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' cinder::keystone::authtoken::user_domain_name: 'Default' cinder::keystone::authtoken::project_domain_name: 'Default' cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion} cinder::keystone::authtoken::interface: 'internal' cinder::policy::policies: {get_param: CinderApiPolicies} cinder::notification_driver: {get_param: NotificationDriver} cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType} cinder::api::enable_proxy_headers_parsing: true cinder::api::nova_catalog_info: 'compute:nova:internalURL' tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} cinder::api::bind_host: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS} cinder::api::service_name: 'httpd' # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR cinder::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} cinder::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]} cinder::wsgi::apache::vhost_custom_fragment: str_replace: template: "Timeout TIMEOUT" params: TIMEOUT: {get_param: CinderApiWsgiTimeout} - if: - cinder_workers_zero - {} - cinder::wsgi::apache::workers: {get_param: CinderWorkers} service_config_settings: rsyslog: tripleo_logging_sources_cinder_api: - {get_param: CinderApiLoggingSource} mysql: cinder::db::mysql::password: {get_param: CinderPassword} cinder::db::mysql::user: cinder cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} cinder::db::mysql::dbname: cinder cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: cinder puppet_tags: cinder_config,cinder_type,file,concat,file_line step_config: list_join: - "\n" - - "include tripleo::profile::base::cinder::api" - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: ContainerCinderConfigImage} kolla_config: /var/lib/kolla/config_files/cinder_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" # TODO(emilien) remove optional flag once we get a promotion # https://launchpad.net/bugs/1884115 optional: true merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-tls/*" dest: "/" merge: true preserve_properties: true optional: true permissions: - path: /var/log/cinder owner: cinder:cinder recurse: true - path: /etc/pki/tls/certs/etcd.crt owner: cinder:cinder - path: /etc/pki/tls/private/etcd.key owner: cinder:cinder /var/lib/kolla/config_files/cinder_api_cron.json: command: /usr/sbin/crond -n config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/cinder owner: cinder:cinder recurse: true docker_config: step_2: cinder_api_init_logs: image: &cinder_api_image {get_param: ContainerCinderApiImage} net: none privileged: false user: root volumes: - /var/log/containers/cinder:/var/log/cinder:z - /var/log/containers/httpd/cinder-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_3: cinder_api_db_sync: image: *cinder_api_image net: host privileged: false detach: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/cinder/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro - /var/log/containers/cinder:/var/log/cinder:z - /var/log/containers/httpd/cinder-api:/var/log/httpd:z command: - '/usr/bin/bootstrap_host_exec' - 'cinder_api' - "su cinder -s /bin/bash -c 'cinder-manage db sync --bump-versions'" environment: TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} step_4: cinder_api: image: *cinder_api_image net: host privileged: false restart: always # NOTE(mandre) kolla image changes the user to 'cinder', we need it # to be root to run httpd user: root healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [CinderCommon, cinder_common_volumes]} - - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro - /var/log/containers/httpd/cinder-api:/var/log/httpd:z - if: - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - [] environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS cinder_api_cron: image: *cinder_api_image net: host user: root privileged: false restart: always healthcheck: test: '/usr/share/openstack-tripleo-common/healthcheck/cron cinder' volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro - /var/log/containers/cinder:/var/log/cinder:z - /var/log/containers/httpd/cinder-api:/var/log/httpd:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS container_puppet_tasks: # Create the default volume type after the cinder-api service is # running. The puppet code will ensure this is only done once, on # the bootstrap node. step_4: config_volume: 'cinder_init_tasks' puppet_tags: cinder_config,cinder_type,file,concat,file_line step_config: 'include tripleo::profile::base::cinder::api' config_image: *cinder_api_image volumes: - /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/cinder-api, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: step|int == 1 block: &cinder_online_db_migration - name: Online data migration for Cinder command: "{{ container_cli }} exec cinder_api cinder-manage db online_data_migrations" delegate_to: "{{ groups['cinder_api'][0] }}" become: true tags: - online_upgrade - online_upgrade_cinder - when: step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop cinder api container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - cinder_api - cinder_api_cron tripleo_delegate_to: "{{ groups['cinder_api'] | default([]) }}" external_update_tasks: - when: step|int == 1 block: *cinder_online_db_migration external_deploy_tasks: - name: Clean up legacy Cinder keystone catalog entries become: true os_keystone_service: cloud: {get_param: RootStackName} name: "{{ item.service_name }}" service_type: "{{ item.service_type }}" state: absent loop: - {service_name: cinderv2, service_type: volumev2} # The following cinderv3/volume entry removes a legacy workaround # unrelated to cinder's v3 API service (cinderv3/volumev3). See # Ic0eb72f78e2a19e2f40ab12631a872d828bab46a for details. - {service_name: cinderv3, service_type: volume} loop_control: index_var: cinder_api_service when: - step|int == 4 - name: Manage Cinder Volume Type become: true vars: default_volume_type: {get_param: CinderDefaultVolumeType} environment: OS_CLOUD: {get_param: RootStackName} when: - step|int == 5 - not ansible_check_mode|bool shell: | if ! openstack volume type show "{{ default_volume_type }}"; then openstack volume type create --public "{{ default_volume_type }}" fi args: executable: /bin/bash changed_when: false