openstack/tripleo-heat-templates
Code Issues Proposed changes
162541f242
tripleo-heat-templates/docker/services/keystone.yaml
Jose Luis Franco Arza 40467b0f3f [Rocky/Queens Only] Remove pre-upgrade validation tasks in cont services. 
The pre-upgrade validation tasks in the containerized services made
sense when upgrading from non-containerized to containerized overcloud
(ocata to pike), however we kept them for queens and rocky
release thinking about using them during the undercloud upgrade from
non-containerized to containerized (queens to rocky) but they
were skipped there too [0]. It's beeing observed in the current
upgrades taken place by operators, that these validations are
causing more issues than it was thought, so let's get rid of
them from all the containerized services in Queens and Rocky.

Closes-Bug: #1829858

[0] - https://github.com/openstack/python-tripleoclient/blob/stable/rocky/tripleoclient/v1/tripleo_deploy.py#L833

Change-Id: If99ea62b6cefb140a9c918b8f6a774658c52d54b
(cherry picked from commit 7e0a4d0e52)
2019-06-04 14:07:47 +02:00

293 lines
11 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
OpenStack containerized Keystone service
parameters:
DockerKeystoneImage:
description: image
type: string
DockerKeystoneConfigImage:
description: The container image to use for the keystone config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
AdminPassword:
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
KeystoneTokenProvider:
description: The keystone token format
type: string
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
EnableInternalTLS:
type: boolean
default: false
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
KeystoneBase:
type: ../../puppet/services/keystone.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
KeystoneLogging:
type: OS::TripleO::Services::Logging::Keystone
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the Keystone API role.
value:
service_name: {get_attr: [KeystoneBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [KeystoneBase, role_data, config_settings]
- get_attr: [KeystoneLogging, config_settings]
- apache::default_vhost: false
logging_source: {get_attr: [KeystoneBase, role_data, logging_source]}
logging_groups: {get_attr: [KeystoneBase, role_data, logging_groups]}
service_config_settings: {get_attr: [KeystoneBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: keystone
puppet_tags: keystone_config,keystone_domain_config
step_config:
list_join:
- "\n"
- - "['Keystone_user', 'Keystone_endpoint', 'Keystone_domain', 'Keystone_tenant', 'Keystone_user_role', 'Keystone_role', 'Keystone_service'].each |String $val| { noop_resource($val) }"
- {get_attr: [KeystoneBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: &keystone_config_image {get_param: DockerKeystoneConfigImage}
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/keystone/fernet-keys"
dest: "/etc/keystone/fernet-keys"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/keystone_cron.json:
# FIXME(dprince): this is unused ATM because Kolla hardcodes the
# args for the keystone container to -DFOREGROUND
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/keystone
owner: keystone:keystone
recurse: true
docker_config:
# Kolla_bootstrap/db sync runs before permissions set by kolla_config
step_2:
get_attr: [KeystoneLogging, docker_config, step_2]
step_3:
keystone_db_sync:
image: &keystone_image {get_param: DockerKeystoneImage}
net: host
user: root
privileged: false
detach: false
volumes: &keystone_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
list_concat:
- - KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {get_attr: [KeystoneLogging, environment]}
command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']
keystone:
start_order: 2
image: *keystone_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes: *keystone_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
keystone_bootstrap:
start_order: 3
action: exec
user: root
command:
[ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
keystone_cron:
start_order: 4
image: *keystone_image
user: root
net: host
privileged: false
restart: always
command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [KeystoneLogging, volumes]}
-
- /var/lib/kolla/config_files/keystone_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/keystone/:/var/lib/kolla/config_files/src:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4:
# There are cases where we need to refresh keystone after the resource provisioning,
# such as the case of using LDAP backends for domains. So we trigger a graceful
# restart [1], which shouldn't cause service disruption, but will reload new
# configurations for keystone.
# [1] https://httpd.apache.org/docs/2.4/stopping.html#graceful
keystone_refresh:
start_order: 1
action: exec
user: root
command:
[ 'keystone', 'pkill', '--signal', 'USR1', 'httpd' ]
docker_puppet_tasks:
# Keystone endpoint creation occurs only on single node
step_3:
config_volume: 'keystone_init_tasks'
puppet_tags: 'keystone_config,keystone_domain_config,keystone_endpoint,keystone_identity_provider,keystone_paste_ini,keystone_role,keystone_service,keystone_tenant,keystone_user,keystone_user_role,keystone_domain'
step_config: 'include ::tripleo::profile::base::keystone'
config_image: *keystone_config_image
host_prep_tasks: {get_attr: [KeystoneLogging, host_prep_tasks]}
upgrade_tasks:
- when: step|int == 0
tags: common
block:
- name: Check for keystone running under apache
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
ignore_errors: True
register: keystone_httpd_enabled_result
- set_fact:
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
- name: Check if httpd is running
command: systemctl is-active --quiet httpd
ignore_errors: True
register: httpd_running_result
when: httpd_running is undefined
- set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when: httpd_running is undefined
- when: step|int == 2
block:
- name: Stop and disable keystone service (running under httpd)
when:
- keystone_httpd_enabled|bool
- httpd_running|bool
service: name=httpd state=stopped enabled=no
- name: remove old keystone cron jobs
file:
path: /var/spool/cron/keystone
state: absent
metadata_settings:
get_attr: [KeystoneBase, role_data, metadata_settings]
fast_forward_upgrade_tasks:
- name: Check for keystone running under apache
tags: common
shell: "httpd -t -D DUMP_VHOSTS | grep -q keystone_wsgi"
ignore_errors: true
register: keystone_httpd_enabled_result
when:
- step|int == 0
- release == 'ocata'
- name: Set fact keystone_httpd_enabled
set_fact:
keystone_httpd_enabled: "{{ keystone_httpd_enabled_result.rc == 0 }}"
when:
- step|int == 0
- release == 'ocata'
- name: Check if httpd is running
ignore_errors: True
command: systemctl is-active --quiet httpd
register: httpd_running_result
when:
- step|int == 0
- release == 'ocata'
- httpd_running is undefined
- name: Set fact httpd_running if undefined
set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when:
- step|int == 0
- release == 'ocata'
- httpd_running is undefined
- name: Stop and disable keystone (under httpd)
service: name=httpd state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- keystone_httpd_enabled|bool
- httpd_running|bool
- name: Keystone package update
shell: yum -y update openstack-keystone*
when:
- step|int == 6
- is_bootstrap_node|bool
- name: keystone db sync
command: keystone-manage db_sync
when:
- step|int == 8
- is_bootstrap_node|bool
View Git Blame Copy Permalink