ae5fa916f7
Usually, db_sync involves call to "sudo". Such call are now logging a warning/error in the host log due to a recently removed capability in podman, the CAP_AUDIT_WRITE. This capability allows containers to write in the audit log whenever there's a security related thing. Sudo isn't the only one needing this access - sshd also writes in the audit. Since the nova-migration-target runs sshd, enabling the capability in there will ensure we're keeping clean track of the accesses. Change-Id: I8972b16254b141e7102ea87cb6c0d489d8426751 Closes-Bug: #1991219
493 lines
19 KiB
YAML
493 lines
19 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized gnocchi service
|
|
|
|
parameters:
|
|
ContainerGnocchiApiImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerGnocchiConfigImage:
|
|
description: The container image to use for the gnocchi config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
GnocchiApiLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.gnocchi.api
|
|
file: /var/log/containers/gnocchi/app.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
DeployIdentifier:
|
|
default: ''
|
|
type: string
|
|
description: >
|
|
Setting this to a unique value will re-run any deployment tasks which
|
|
perform configuration on a Heat stack-update.
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
NumberOfStorageSacks:
|
|
default: 128
|
|
description: Number of storage sacks to create.
|
|
type: number
|
|
CephClientUserName:
|
|
default: openstack
|
|
type: string
|
|
CephClusterName:
|
|
type: string
|
|
default: ceph
|
|
description: The Ceph cluster name.
|
|
constraints:
|
|
- allowed_pattern: "[a-zA-Z0-9]+"
|
|
description: >
|
|
The Ceph cluster name must be at least 1 character and contain only
|
|
letters and numbers.
|
|
GnocchiFileBasePath:
|
|
default: '/var/lib/gnocchi'
|
|
description: Path to use when file driver is used. This could be NFS or a
|
|
flat file.
|
|
type: string
|
|
GnocchiPassword:
|
|
description: The password for the gnocchi service and db account.
|
|
type: string
|
|
hidden: true
|
|
GnocchiBackend:
|
|
default: swift
|
|
description: The short name of the Gnocchi backend to use. Should be one
|
|
of swift, rbd, file or s3.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: ['swift', 'file', 'rbd', 's3']
|
|
GnocchiNfsEnabled:
|
|
default: false
|
|
description: >
|
|
When using GnocchiBackend 'file', mount NFS share for data storage
|
|
type: boolean
|
|
GnocchiNfsShare:
|
|
default: ''
|
|
description: >
|
|
NFS share to mount for data storage (when GnocchiNfsEnabled is true)
|
|
type: string
|
|
GnocchiNfsOptions:
|
|
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
|
|
description: >
|
|
Nfs mount options for data storage (when GnocchiNfsEnabled is true)
|
|
type: string
|
|
GnocchiIncomingStorageDriver:
|
|
default: redis
|
|
description: Storage driver to use for incoming metric data
|
|
type: string
|
|
KeystoneRegion:
|
|
type: string
|
|
default: 'regionOne'
|
|
description: Keystone region for endpoint
|
|
MonitoringSubscriptionGnocchiApi:
|
|
default: 'overcloud-gnocchi-api'
|
|
type: string
|
|
GnocchiApiPolicies:
|
|
description: |
|
|
A hash of policies to configure for Gnocchi API.
|
|
e.g. { gnocchi-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
|
default: {}
|
|
type: json
|
|
GnocchiCorsAllowedOrigin:
|
|
type: string
|
|
default: ''
|
|
description: Indicate whether this resource may be shared with the domain received in the request
|
|
"origin" header.
|
|
CephConfigPath:
|
|
type: string
|
|
default: "/var/lib/tripleo-config/ceph"
|
|
description: |
|
|
The path where the Ceph Cluster config files are stored on the host.
|
|
MemcacheUseAdvancedPool:
|
|
type: boolean
|
|
description: |
|
|
Use the advanced (eventlet safe) memcached client pool.
|
|
default: true
|
|
|
|
conditions:
|
|
cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
nfs_backend_enabled: {equals: [{get_param: GnocchiNfsEnabled}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../../deployment/database/mysql-client.yaml
|
|
|
|
GnocchiServiceBase:
|
|
type: ./gnocchi-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
ApacheServiceBase:
|
|
type: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerGnocchiApiImage: ContainerGnocchiApiImage
|
|
ContainerGnocchiConfigImage: ContainerGnocchiConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerGnocchiApiImage: {get_param: ContainerGnocchiApiImage}
|
|
ContainerGnocchiConfigImage: {get_param: ContainerGnocchiConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the gnocchi API role.
|
|
value:
|
|
service_name: gnocchi_api
|
|
firewall_rules:
|
|
'129 gnocchi-api':
|
|
dport:
|
|
- 8041
|
|
firewall_frontend_rules:
|
|
'100 gnocchi_haproxy_frontend':
|
|
dport:
|
|
- 8041
|
|
firewall_ssl_frontend_rules:
|
|
'100 gnocchi_haproxy_frontend_ssl':
|
|
dport:
|
|
- 13041
|
|
keystone_resources:
|
|
gnocchi:
|
|
endpoints:
|
|
public: {get_param: [EndpointMap, GnocchiPublic, uri]}
|
|
internal: {get_param: [EndpointMap, GnocchiInternal, uri]}
|
|
admin: {get_param: [EndpointMap, GnocchiAdmin, uri]}
|
|
users:
|
|
gnocchi:
|
|
password: {get_param: GnocchiPassword}
|
|
roles:
|
|
- admin
|
|
- service
|
|
region: {get_param: KeystoneRegion}
|
|
service: 'metric'
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [GnocchiServiceBase, role_data, config_settings]
|
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
|
- apache::default_vhost: false
|
|
-
|
|
if:
|
|
- cors_allowed_origin_unset
|
|
- {}
|
|
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
|
|
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
|
|
- gnocchi::api::enabled: true
|
|
gnocchi::api::enable_proxy_headers_parsing: true
|
|
gnocchi::api::service_name: 'httpd'
|
|
gnocchi::api::sync_db: false
|
|
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
|
|
gnocchi::cors::max_age: 3600
|
|
gnocchi::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
|
gnocchi::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
|
gnocchi::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
|
gnocchi::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
|
gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
|
gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword}
|
|
gnocchi::keystone::authtoken::project_name: 'service'
|
|
gnocchi::keystone::authtoken::user_domain_name: 'Default'
|
|
gnocchi::keystone::authtoken::project_domain_name: 'Default'
|
|
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
|
gnocchi::keystone::authtoken::interface: 'internal'
|
|
gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
|
gnocchi::wsgi::apache::access_log_format: 'forwarded'
|
|
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
|
gnocchi::wsgi::apache::servername:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
|
|
tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend}
|
|
tripleo::profile::base::gnocchi::api::incoming_storage_driver: {get_param: GnocchiIncomingStorageDriver}
|
|
tripleo::profile::base::gnocchi::api::gnocchi_rbd_ceph_conf_path: {get_param: CephConfigPath}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
|
# local node IP for the given network; replacement examples
|
|
# (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
gnocchi::wsgi::apache::bind_host:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]}
|
|
gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi'
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [GnocchiServiceBase, role_data, service_config_settings]
|
|
- rsyslog:
|
|
tripleo_logging_sources_gnocchi_api:
|
|
- {get_param: GnocchiApiLoggingSource}
|
|
mysql:
|
|
gnocchi::db::mysql::password: {get_param: GnocchiPassword}
|
|
gnocchi::db::mysql::user: gnocchi
|
|
gnocchi::db::mysql::host: '%'
|
|
gnocchi::db::mysql::dbname: gnocchi
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: gnocchi
|
|
puppet_tags: gnocchi_api_paste_ini,gnocchi_config,exec
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include tripleo::profile::base::gnocchi::api"
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerGnocchiConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/gnocchi_api.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files: &gnocchi_api_kolla_config_files
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-ceph/"
|
|
dest: "/etc/ceph/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions: &gnocchi_api_kolla_permissions
|
|
- path: /var/log/gnocchi
|
|
owner: gnocchi:gnocchi
|
|
recurse: true
|
|
- path:
|
|
str_replace:
|
|
template: /etc/ceph/CLUSTER.client.USER.keyring
|
|
params:
|
|
CLUSTER: {get_param: CephClusterName}
|
|
USER: {get_param: CephClientUserName}
|
|
owner: gnocchi:gnocchi
|
|
perm: '0600'
|
|
- path:
|
|
list_join:
|
|
- "/"
|
|
- - {get_param: GnocchiFileBasePath}
|
|
- "tmp"
|
|
owner: gnocchi:gnocchi
|
|
perm: '0750'
|
|
recurse: true
|
|
/var/lib/kolla/config_files/gnocchi_db_sync.json:
|
|
command:
|
|
str_replace:
|
|
template: /usr/bin/bootstrap_host_exec gnocchi_api /usr/bin/gnocchi-upgrade --sacks-number=SACK_NUM
|
|
params:
|
|
SACK_NUM: {get_param: NumberOfStorageSacks}
|
|
config_files: *gnocchi_api_kolla_config_files
|
|
permissions: *gnocchi_api_kolla_permissions
|
|
docker_config:
|
|
# db sync runs before permissions set by kolla_config
|
|
step_2:
|
|
gnocchi_init_log:
|
|
image: &gnocchi_api_image {get_attr: [RoleParametersValue, value, ContainerGnocchiApiImage]}
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/gnocchi:/var/log/gnocchi:z
|
|
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
|
|
command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi']
|
|
gnocchi_init_lib:
|
|
image: *gnocchi_api_image
|
|
net: none
|
|
user: root
|
|
volumes:
|
|
- str_replace:
|
|
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
|
|
params:
|
|
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
|
|
SE_FLAGS:
|
|
if:
|
|
- nfs_backend_enabled
|
|
- 'shared'
|
|
- 'shared,z'
|
|
command:
|
|
- '/bin/bash'
|
|
- '-c'
|
|
- str_replace:
|
|
template: 'chown -R gnocchi:gnocchi GNOCCHI_FILE_BASE_PATH'
|
|
params:
|
|
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
|
|
step_5:
|
|
gnocchi_db_sync:
|
|
start_order: 0
|
|
image: *gnocchi_api_image
|
|
cap_add:
|
|
- AUDIT_WRITE
|
|
net: host
|
|
detach: false
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/gnocchi_db_sync.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro
|
|
- str_replace:
|
|
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
|
|
params:
|
|
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
|
|
SE_FLAGS:
|
|
if:
|
|
- nfs_backend_enabled
|
|
- 'shared'
|
|
- 'shared,z'
|
|
- /var/log/containers/gnocchi:/var/log/gnocchi:z
|
|
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: CephConfigPath}
|
|
- - '/var/lib/kolla/config_files/src-ceph'
|
|
- - 'ro'
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
|
|
gnocchi_api:
|
|
image: *gnocchi_api_image
|
|
start_order: 1
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- str_replace:
|
|
template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS
|
|
params:
|
|
GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}
|
|
SE_FLAGS:
|
|
if:
|
|
- nfs_backend_enabled
|
|
- 'shared'
|
|
- 'shared,z'
|
|
- /var/lib/kolla/config_files/gnocchi_api.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/gnocchi:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/gnocchi:/var/log/gnocchi:z
|
|
- /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: CephConfigPath}
|
|
- - '/var/lib/kolla/config_files/src-ceph'
|
|
- - 'ro'
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create logs directory
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': container_file_t, 'mode': '0750' }
|
|
- name: Mount Gnocchi NFS on host
|
|
vars:
|
|
nfs_backend_enabled: {get_param: GnocchiNfsEnabled}
|
|
nfs_share: {get_param: GnocchiNfsShare}
|
|
nfs_options: {get_param: GnocchiNfsOptions}
|
|
file_base_path: {get_param: GnocchiFileBasePath}
|
|
mount:
|
|
name: "{{file_base_path}}"
|
|
state: mounted
|
|
src: "{{nfs_share}}"
|
|
fstype: nfs
|
|
opts: "{{nfs_options}}"
|
|
when: nfs_backend_enabled
|
|
- name: ensure GnocchiFileBasePath exists
|
|
file:
|
|
path: {get_param: GnocchiFileBasePath}
|
|
state: directory
|
|
setype: container_file_t
|
|
- name: ensure ceph configurations exist
|
|
file:
|
|
path: {get_param: CephConfigPath}
|
|
state: directory
|
|
upgrade_tasks: []
|
|
metadata_settings:
|
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
deploy_steps_tasks:
|
|
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop gnocchi container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- gnocchi_api
|
|
tripleo_delegate_to: "{{ groups['gnocchi_api'] | difference(groups['excluded_overcloud']) }}"
|