heat_template_version: wallaby description: > OpenStack containerized Memcached services parameters: ContainerMemcachedImage: description: image type: string ContainerMemcachedConfigImage: description: The container image to use for the memcached config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json MemcachedMaxMemory: default: '50%' description: The maximum amount of memory for memcached to be configured to use when installed. This can be either a percentage ('50%') or a fixed value ('2048'). type: string MemcachedMaxConnections: default: 8192 description: The maximum number of connections to be accepted by memcached type: number MonitoringSubscriptionMemcached: default: 'overcloud-memcached' type: string Debug: default: false description: Set to True to enable debugging on all services. type: boolean MemcachedDebug: default: false description: Set to True to enable debugging Memcached service. type: boolean MemcachedIpSubnet: default: '' description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork will be taken. Useful in the case where an operator wants to open Memcached outside of the internal network. Use this parameter with caution and be aware of opening memcached to external network can be dangerous. type: string MemcachedPort: default: 11211 description: Port to have Memcached listening at. When using MemcachedTLS, this has to be set to a different port then the default - see below. type: number MemcachedTLS: default: false description: Set to True to enable TLS on Memcached service. Because not all services support Memcached TLS, during the migration period, Memcached will listen on 2 ports - on the port set with MemcachedPort parameter (above) and on 11211, without TLS. type: boolean CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. MemcachedCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service conditions: # NOTE: A non-tls port is necessary while there are still services # consuming Memcached that do not support TLS. Once all services # do support TLS, this config should be dropped. enable_non_tls_port: and: - {get_param: MemcachedTLS} - not: {equals: [{get_param: MemcachedPort}, 11211]} memcached_network_set: not: {equals : [{get_param: MemcachedIpSubnet}, '']} service_debug: {get_param: MemcachedDebug} is_ipv6: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]} - 6 key_size_override_set: not: {equals: [{get_param: MemcachedCertificateKeySize}, '']} resources: ContainersCommon: type: ../containers-common.yaml outputs: role_data: description: Role data for the Memcached API role. value: service_name: memcached firewall_rules: # https://access.redhat.com/security/cve/cve-2018-1000115 # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. # Memcached traffic shouldn't be open on the internet. # Even if binding is configured on internal_api network, enforce it # via firewall as well. if: - memcached_network_set - '121 memcached': dport: list_concat: - - {get_param: MemcachedPort} - if: - enable_non_tls_port - [11211] proto: 'tcp' source: {get_param: MemcachedIpSubnet} - map_merge: repeat: for_each: <%net_cidr%>: get_param: - ServiceData - net_cidr_map - {get_param: [ServiceNetMap, MemcachedNetwork]} template: '121 memcached <%net_cidr%>': dport: list_concat: - - {get_param: MemcachedPort} - if: - enable_non_tls_port - [11211] proto: 'tcp' source: <%net_cidr%> monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} config_settings: map_merge: - memcached::listen: # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR list_concat: - - if: - is_ipv6 - '::1' - '127.0.0.1' - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} - if: - enable_non_tls_port - - str_replace: template: "notls:%{hiera('$NETWORK_uri')}:11211" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} - if: - is_ipv6 - 'notls:[::1]:11211' - 'notls:127.0.0.1:11211' # NOTE(xek): the IP addresses are configured with: # memcached::listen - the new way # memcached::listen_ip - will be deprecated # see: https://github.com/saz/puppet-memcached/pull/127 memcached::listen_ip: - if: - is_ipv6 - '::1' - '127.0.0.1' - str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} memcached::listen_ip_uri: - if: - is_ipv6 - '::1' - '127.0.0.1' - str_replace: template: "%{hiera('$NETWORK_uri')}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} memcached::tcp_port: {get_param: MemcachedPort} memcached::max_connections: {get_param: MemcachedMaxConnections} memcached::max_memory: {get_param: MemcachedMaxMemory} # https://access.redhat.com/security/cve/cve-2018-1000115 # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. memcached::udp_port: 0 memcached::verbosity: list_join: - '' - - 'v' - if: - service_debug - 'v' - '' memcached::disable_cachedump: true memcached::logstdout: true tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS} - if: # NOTE: This config is necessary while there are still services # consuming Memcached that do not support TLS. Once all services # do support TLS, this config should be dropped. - enable_non_tls_port - memcached_port: {get_param: MemcachedPort} memcached_authtoken_port: 11211 - memcached_port: {get_param: MemcachedPort} memcached_authtoken_port: {get_param: MemcachedPort} - if: - {get_param: MemcachedTLS} - tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt' tripleo::profile::base::memcached::certificate_specs: service_certificate: '/etc/pki/tls/certs/memcached.crt' service_key: '/etc/pki/tls/private/memcached.key' service_config_settings: collectd: tripleo.collectd.plugins.memcached: - memcached collectd::plugin::memcached::instances: local: host: "%{hiera('memcached::listen_ip_uri')}" port: # collectd has no support to Memcached+TLS yet. - if: - enable_non_tls_port - 11211 - {get_param: MemcachedPort} # BEGIN DOCKER SETTINGS puppet_config: config_volume: 'memcached' puppet_tags: 'file' step_config: | include tripleo::profile::base::memcached config_image: {get_param: ContainerMemcachedConfigImage} kolla_config: /var/lib/kolla/config_files/memcached.json: command: bash -c $* -- eval source /etc/sysconfig/memcached; exec /usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS >> /var/log/memcached/memcached.log 2>&1 config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-tls/*" dest: "/" merge: true preserve_properties: true optional: true permissions: - path: /var/log/memcached owner: memcached:memcached recurse: true - path: /etc/pki/tls/certs/memcached.crt owner: memcached:memcached optional: true - path: /etc/pki/tls/private/memcached.key owner: memcached:memcached optional: true docker_config: step_1: memcached: start_order: 0 image: {get_param: ContainerMemcachedImage} net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z - /var/log/containers/memcached:/var/log/memcached:rw - if: - {get_param: MemcachedTLS} - - /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro - /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS metadata_settings: if: - {get_param: MemcachedTLS} - - service: memcached network: {get_param: [ServiceNetMap, MemcachedNetwork]} type: node deploy_steps_tasks: if: - {get_param: MemcachedTLS} - - name: Certificate generation when: step|int == 1 block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: memcached dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} principal: str_replace: template: "memcached/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} run_after: | container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep memcached) service_crt="/etc/pki/tls/certs/memcached.crt" service_key="/etc/pki/tls/private/memcached.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_key" # Send refresh_certs command to memcached to read the new certificate memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen_ip.0 127.0.0.1)" memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)" echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port key_size: if: - key_size_override_set - {get_param: MemcachedCertificateKeySize} - {get_param: CertificateKeySize} ca: ipa host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode }}" with_items: - { 'path': /var/log/containers/memcached, 'setype': container_file_t, 'mode': '0750' } upgrade_tasks: [] external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop memcached container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - memcached tripleo_delegate_to: "{{ groups['memcached'] | default([]) }}"