tripleo-heat-templates/deployment/gnocchi/gnocchi-api-container-puppet.yaml
Cédric Jeanneret ae5fa916f7 Enable CAP_AUDIT_WRITE for some containers/steps
Usually, db_sync involves call to "sudo". Such call are now logging a
warning/error in the host log due to a recently removed capability in
podman, the CAP_AUDIT_WRITE. This capability allows containers to write
in the audit log whenever there's a security related thing.

Sudo isn't the only one needing this access - sshd also writes in the
audit. Since the nova-migration-target runs sshd, enabling the
capability in there will ensure we're keeping clean track of the
accesses.

Change-Id: I8972b16254b141e7102ea87cb6c0d489d8426751
Closes-Bug: #1991219
2022-10-03 13:31:59 +02:00

493 lines
19 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized gnocchi service
parameters:
ContainerGnocchiApiImage:
description: image
type: string
tags:
- role_specific
ContainerGnocchiConfigImage:
description: The container image to use for the gnocchi config_volume
type: string
tags:
- role_specific
GnocchiApiLoggingSource:
type: json
default:
tag: openstack.gnocchi.api
file: /var/log/containers/gnocchi/app.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
NumberOfStorageSacks:
default: 128
description: Number of storage sacks to create.
type: number
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
GnocchiFileBasePath:
default: '/var/lib/gnocchi'
description: Path to use when file driver is used. This could be NFS or a
flat file.
type: string
GnocchiPassword:
description: The password for the gnocchi service and db account.
type: string
hidden: true
GnocchiBackend:
default: swift
description: The short name of the Gnocchi backend to use. Should be one
of swift, rbd, file or s3.
type: string
constraints:
- allowed_values: ['swift', 'file', 'rbd', 's3']
GnocchiNfsEnabled:
default: false
description: >
When using GnocchiBackend 'file', mount NFS share for data storage
type: boolean
GnocchiNfsShare:
default: ''
description: >
NFS share to mount for data storage (when GnocchiNfsEnabled is true)
type: string
GnocchiNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
description: >
Nfs mount options for data storage (when GnocchiNfsEnabled is true)
type: string
GnocchiIncomingStorageDriver:
default: redis
description: Storage driver to use for incoming metric data
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionGnocchiApi:
default: 'overcloud-gnocchi-api'
type: string
GnocchiApiPolicies:
description: |
A hash of policies to configure for Gnocchi API.
e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
GnocchiCorsAllowedOrigin:
type: string
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
CephConfigPath:
type: string
default: "/var/lib/tripleo-config/ceph"
description: |
The path where the Ceph Cluster config files are stored on the host.
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
nfs_backend_enabled: {equals: [{get_param: GnocchiNfsEnabled}, true]}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../../deployment/database/mysql-client.yaml
GnocchiServiceBase:
type: ./gnocchi-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerGnocchiApiImage: ContainerGnocchiApiImage
ContainerGnocchiConfigImage: ContainerGnocchiConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerGnocchiApiImage: {get_param: ContainerGnocchiApiImage}
ContainerGnocchiConfigImage: {get_param: ContainerGnocchiConfigImage}
outputs:
role_data:
description: Role data for the gnocchi API role.
value:
service_name: gnocchi_api
firewall_rules:
'129 gnocchi-api':
dport:
- 8041
firewall_frontend_rules:
'100 gnocchi_haproxy_frontend':
dport:
- 8041
firewall_ssl_frontend_rules:
'100 gnocchi_haproxy_frontend_ssl':
dport:
- 13041
keystone_resources:
gnocchi:
endpoints:
public: {get_param: [EndpointMap, GnocchiPublic, uri]}
internal: {get_param: [EndpointMap, GnocchiInternal, uri]}
admin: {get_param: [EndpointMap, GnocchiAdmin, uri]}
users:
gnocchi:
password: {get_param: GnocchiPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'metric'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- apache::default_vhost: false
-
if:
- cors_allowed_origin_unset
- {}
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
- gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::api::sync_db: false
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
gnocchi::cors::max_age: 3600
gnocchi::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
gnocchi::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
gnocchi::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
gnocchi::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
gnocchi::keystone::authtoken::project_name: 'service'
gnocchi::keystone::authtoken::user_domain_name: 'Default'
gnocchi::keystone::authtoken::project_domain_name: 'Default'
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
gnocchi::keystone::authtoken::interface: 'internal'
gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
gnocchi::wsgi::apache::access_log_format: 'forwarded'
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
gnocchi::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend}
tripleo::profile::base::gnocchi::api::incoming_storage_driver: {get_param: GnocchiIncomingStorageDriver}
tripleo::profile::base::gnocchi::api::gnocchi_rbd_ceph_conf_path: {get_param: CephConfigPath}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
gnocchi::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi'
service_config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_gnocchi_api:
- {get_param: GnocchiApiLoggingSource}
mysql:
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
gnocchi::db::mysql::user: gnocchi
gnocchi::db::mysql::host: '%'
gnocchi::db::mysql::dbname: gnocchi
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: gnocchi
puppet_tags: gnocchi_api_paste_ini,gnocchi_config,exec
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::gnocchi::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerGnocchiConfigImage]}
kolla_config:
/var/lib/kolla/config_files/gnocchi_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &gnocchi_api_kolla_config_files
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions: &gnocchi_api_kolla_permissions
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
- path:
list_join:
- "/"
- - {get_param: GnocchiFileBasePath}
- "tmp"
owner: gnocchi:gnocchi
perm: '0750'
recurse: true
/var/lib/kolla/config_files/gnocchi_db_sync.json:
command:
str_replace:
template: /usr/bin/bootstrap_host_exec gnocchi_api /usr/bin/gnocchi-upgrade --sacks-number=SACK_NUM
params:
SACK_NUM: {get_param: NumberOfStorageSacks}
config_files: *gnocchi_api_kolla_config_files
permissions: *gnocchi_api_kolla_permissions
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
gnocchi_init_log:
image: &gnocchi_api_image {get_attr: [RoleParametersValue, value, ContainerGnocchiApiImage]}
net: none
user: root
volumes:
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi']
gnocchi_init_lib:
image: *gnocchi_api_image
net: none
user: root
volumes:
- str_replace:
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
params:
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
SE_FLAGS:
if:
- nfs_backend_enabled
- 'shared'
- 'shared,z'
command:
- '/bin/bash'
- '-c'
- str_replace:
template: 'chown -R gnocchi:gnocchi GNOCCHI_FILE_BASE_PATH'
params:
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
step_5:
gnocchi_db_sync:
start_order: 0
image: *gnocchi_api_image
cap_add:
- AUDIT_WRITE
net: host
detach: false
privileged: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/gnocchi_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro
- str_replace:
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
params:
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
SE_FLAGS:
if:
- nfs_backend_enabled
- 'shared'
- 'shared,z'
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
- list_join:
- ':'
- - {get_param: CephConfigPath}
- - '/var/lib/kolla/config_files/src-ceph'
- - 'ro'
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
gnocchi_api:
image: *gnocchi_api_image
start_order: 1
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- str_replace:
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
params:
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
SE_FLAGS:
if:
- nfs_backend_enabled
- 'shared'
- 'shared,z'
- /var/lib/kolla/config_files/gnocchi_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro
- /var/log/containers/gnocchi:/var/log/gnocchi:z
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
- list_join:
- ':'
- - {get_param: CephConfigPath}
- - '/var/lib/kolla/config_files/src-ceph'
- - 'ro'
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- []
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create logs directory
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': container_file_t, 'mode': '0750' }
- name: Mount Gnocchi NFS on host
vars:
nfs_backend_enabled: {get_param: GnocchiNfsEnabled}
nfs_share: {get_param: GnocchiNfsShare}
nfs_options: {get_param: GnocchiNfsOptions}
file_base_path: {get_param: GnocchiFileBasePath}
mount:
name: "{{file_base_path}}"
state: mounted
src: "{{nfs_share}}"
fstype: nfs
opts: "{{nfs_options}}"
when: nfs_backend_enabled
- name: ensure GnocchiFileBasePath exists
file:
path: {get_param: GnocchiFileBasePath}
state: directory
setype: container_file_t
- name: ensure ceph configurations exist
file:
path: {get_param: CephConfigPath}
state: directory
upgrade_tasks: []
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop gnocchi container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- gnocchi_api
tripleo_delegate_to: "{{ groups['gnocchi_api'] | difference(groups['excluded_overcloud']) }}"