heat_template_version: rocky description: > OpenStack containerized gnocchi service parameters: ContainerGnocchiApiImage: description: image type: string ContainerGnocchiConfigImage: description: The container image to use for the gnocchi config_volume type: string GnocchiApiLoggingSource: type: json default: tag: openstack.gnocchi.api file: /var/log/containers/gnocchi/app.log EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json DeployIdentifier: default: '' type: string description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. EnableInternalTLS: type: boolean default: false NumberOfStorageSacks: default: 128 description: Number of storage sacks to create. type: number CephClientUserName: default: openstack type: string CephClusterName: type: string default: ceph description: The Ceph cluster name. constraints: - allowed_pattern: "[a-zA-Z0-9]+" description: > The Ceph cluster name must be at least 1 character and contain only letters and numbers. GnocchiFileBasePath: default: '/var/lib/gnocchi' description: Path to use when file driver is used. This could be NFS or a flat file. type: string GnocchiPassword: description: The password for the gnocchi service and db account. type: string hidden: true GnocchiBackend: default: swift description: The short name of the Gnocchi backend to use. Should be one of swift, rbd, file or s3. type: string constraints: - allowed_values: ['swift', 'file', 'rbd', 's3'] GnocchiNfsEnabled: default: false description: > When using GnocchiBackend 'file', mount NFS share for data storage type: boolean GnocchiNfsShare: default: '' description: > NFS share to mount for data storage (when GnocchiNfsEnabled is true) type: string GnocchiNfsOptions: default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0' description: > Nfs mount options for data storage (when GnocchiNfsEnabled is true) type: string GnocchiIncomingStorageDriver: default: redis description: Storage driver to use for incoming metric data type: string KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint MonitoringSubscriptionGnocchiApi: default: 'overcloud-gnocchi-api' type: string EnableInternalTLS: type: boolean default: false GnocchiApiPolicies: description: | A hash of policies to configure for Gnocchi API. e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } } default: {} type: json GnocchiCorsAllowedOrigin: type: string default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. conditions: cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} nfs_backend_enabled: {equals: [{get_param: GnocchiNfsEnabled}, true]} resources: ContainersCommon: type: ../containers-common.yaml MySQLClient: type: ../../deployment/database/mysql-client.yaml GnocchiServiceBase: type: ./gnocchi-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} ApacheServiceBase: type: ../../deployment/apache/apache-baremetal-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: description: Role data for the gnocchi API role. value: service_name: gnocchi_api firewall_rules: '129 gnocchi-api': dport: - 8041 - 13041 keystone_resources: gnocchi: endpoints: public: {get_param: [EndpointMap, GnocchiPublic, uri]} internal: {get_param: [EndpointMap, GnocchiInternal, uri]} admin: {get_param: [EndpointMap, GnocchiAdmin, uri]} users: gnocchi: password: {get_param: GnocchiPassword} region: {get_param: KeystoneRegion} service: 'metric' monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi} config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - apache::default_vhost: false - if: - cors_allowed_origin_unset - {} - gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin} gnocchi::api::middlewares: 'oslo_middleware.cors.CORS' - gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::policy::policies: {get_param: GnocchiApiPolicies} gnocchi::cors::max_age: 3600 gnocchi::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token' gnocchi::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' gnocchi::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' gnocchi::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' gnocchi::keystone::authtoken::user_domain_name: 'Default' gnocchi::keystone::authtoken::project_domain_name: 'Default' gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion} gnocchi::keystone::authtoken::interface: 'internal' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} gnocchi::wsgi::apache::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} tripleo::profile::base::gnocchi::api::incoming_storage_driver: {get_param: GnocchiIncomingStorageDriver} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' service_config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, service_config_settings] - rsyslog: tripleo_logging_sources_gnocchi_api: - {get_param: GnocchiApiLoggingSource} mysql: gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::mysql::user: gnocchi gnocchi::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} gnocchi::db::mysql::dbname: gnocchi gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" # BEGIN DOCKER SETTINGS puppet_config: config_volume: gnocchi puppet_tags: gnocchi_api_paste_ini,gnocchi_config step_config: list_join: - "\n" - - "include tripleo::profile::base::gnocchi::api" - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: ContainerGnocchiConfigImage} kolla_config: /var/lib/kolla/config_files/gnocchi_api.json: command: /usr/sbin/httpd -DFOREGROUND config_files: &gnocchi_api_kolla_config_files - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" # TODO(emilien) remove optional flag once we get a promotion # https://launchpad.net/bugs/1884115 optional: true merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-ceph/" dest: "/etc/ceph/" merge: true preserve_properties: true permissions: &gnocchi_api_kolla_permissions - path: /var/log/gnocchi owner: gnocchi:gnocchi recurse: true - path: str_replace: template: /etc/ceph/CLUSTER.client.USER.keyring params: CLUSTER: {get_param: CephClusterName} USER: {get_param: CephClientUserName} owner: gnocchi:gnocchi perm: '0600' - path: list_join: - "/" - - {get_param: GnocchiFileBasePath} - "tmp" owner: gnocchi:gnocchi perm: '0750' recurse: true /var/lib/kolla/config_files/gnocchi_db_sync.json: command: str_replace: template: /usr/bin/bootstrap_host_exec gnocchi_api /usr/bin/gnocchi-upgrade --sacks-number=SACK_NUM params: SACK_NUM: {get_param: NumberOfStorageSacks} config_files: *gnocchi_api_kolla_config_files permissions: *gnocchi_api_kolla_permissions docker_config: # db sync runs before permissions set by kolla_config step_2: gnocchi_init_log: image: &gnocchi_api_image {get_param: ContainerGnocchiApiImage} net: none user: root volumes: - /var/log/containers/gnocchi:/var/log/gnocchi:z - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi'] gnocchi_init_lib: image: *gnocchi_api_image net: none user: root volumes: - str_replace: template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS params: GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath} SE_FLAGS: if: - nfs_backend_enabled - 'shared' - 'shared,z' command: - '/bin/bash' - '-c' - str_replace: template: 'chown -R gnocchi:gnocchi GNOCCHI_FILE_BASE_PATH' params: GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath} step_5: gnocchi_db_sync: start_order: 0 image: *gnocchi_api_image net: host detach: false privileged: false user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/gnocchi_db_sync.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro - str_replace: template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS params: GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath} SE_FLAGS: if: - nfs_backend_enabled - 'shared' - 'shared,z' - /var/log/containers/gnocchi:/var/log/gnocchi:z - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} gnocchi_api: image: *gnocchi_api_image start_order: 1 net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - str_replace: template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS params: GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath} SE_FLAGS: if: - nfs_backend_enabled - 'shared' - 'shared,z' - /var/lib/kolla/config_files/gnocchi_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro - /var/log/containers/gnocchi:/var/log/gnocchi:z - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - if: - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - [] - if: - internal_tls_enabled - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - [] environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: - name: create logs directory file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': container_file_t, 'mode': '0750' } - name: Mount Gnocchi NFS on host vars: nfs_backend_enabled: {get_param: GnocchiNfsEnabled} nfs_share: {get_param: GnocchiNfsShare} nfs_options: {get_param: GnocchiNfsOptions} file_base_path: {get_param: GnocchiFileBasePath} mount: name: "{{file_base_path}}" state: mounted src: "{{nfs_share}}" fstype: nfs opts: "{{nfs_options}}" when: nfs_backend_enabled - name: ensure GnocchiFileBasePath exists file: path: {get_param: GnocchiFileBasePath} state: directory setype: container_file_t - name: ensure ceph configurations exist file: path: /etc/ceph state: directory upgrade_tasks: [] metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop gnocchi container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - gnocchi_api tripleo_delegate_to: "{{ groups['gnocchi_api'] | default([]) }}"