openstack/tripleo-heat-templates
Code Issues Proposed changes
162541f242
tripleo-heat-templates/docker/services/rabbitmq.yaml
Jose Luis Franco Arza 40467b0f3f [Rocky/Queens Only] Remove pre-upgrade validation tasks in cont services. 
The pre-upgrade validation tasks in the containerized services made
sense when upgrading from non-containerized to containerized overcloud
(ocata to pike), however we kept them for queens and rocky
release thinking about using them during the undercloud upgrade from
non-containerized to containerized (queens to rocky) but they
were skipped there too [0]. It's beeing observed in the current
upgrades taken place by operators, that these validations are
causing more issues than it was thought, so let's get rid of
them from all the containerized services in Queens and Rocky.

Closes-Bug: #1829858

[0] - https://github.com/openstack/python-tripleoclient/blob/stable/rocky/tripleoclient/v1/tripleo_deploy.py#L833

Change-Id: If99ea62b6cefb140a9c918b8f6a774658c52d54b
(cherry picked from commit 7e0a4d0e52)
2019-06-04 14:07:47 +02:00

252 lines
9.6 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
OpenStack containerized Rabbitmq service
parameters:
DockerRabbitmqImage:
description: image
type: string
DockerRabbitmqConfigImage:
description: The container image to use for the rabbitmq config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
RabbitCookie:
type: string
default: ''
hidden: true
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ./containers-common.yaml
RabbitmqBase:
type: ../../puppet/services/rabbitmq.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Rabbitmq API role.
value:
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
# RabbitMQ plugins initialization occurs on every node
config_settings:
map_merge:
- {get_attr: [RabbitmqBase, role_data, config_settings]}
- rabbitmq::admin_enable: false
- if:
- internal_tls_enabled
- tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here
- {}
logging_source: {get_attr: [RabbitmqBase, role_data, logging_source]}
logging_groups: {get_attr: [RabbitmqBase, role_data, logging_groups]}
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: rabbitmq
step_config:
list_join:
- "\n"
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
- get_attr: [RabbitmqBase, role_data, step_config]
config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage}
kolla_config:
/var/lib/kolla/config_files/rabbitmq.json:
command: /usr/lib/rabbitmq/bin/rabbitmq-server
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/rabbitmq
owner: rabbitmq:rabbitmq
recurse: true
- path: /etc/pki/tls/certs/rabbitmq.crt
owner: rabbitmq:rabbitmq
optional: true
- path: /etc/pki/tls/private/rabbitmq.key
owner: rabbitmq:rabbitmq
optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
rabbitmq_init_logs:
start_order: 0
detach: false
image: &rabbitmq_image {get_param: DockerRabbitmqImage}
privileged: false
user: root
volumes:
- /var/log/containers/rabbitmq:/var/log/rabbitmq
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
rabbitmq_bootstrap:
start_order: 1
detach: false
image: *rabbitmq_image
net: host
privileged: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- KOLLA_BOOTSTRAP=True
-
list_join:
- '='
- - 'RABBITMQ_CLUSTER_COOKIE'
-
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: RabbitCookie}
- {get_param: [DefaultPasswords, rabbit_cookie]}
rabbitmq:
start_order: 2
image: *rabbitmq_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
docker_puppet_tasks:
# RabbitMQ users and policies initialization occurs only on single node
step_1:
config_volume: 'rabbit_init_tasks'
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
step_config: 'include ::tripleo::profile::base::rabbitmq'
config_image: *rabbitmq_config_image
volumes:
- /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq:ro
metadata_settings:
get_attr: [RabbitmqBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/rabbitmq, 'setype': svirt_sandbox_file_t }
- name: rabbitmq logs readme
copy:
dest: /var/log/rabbitmq/readme.txt
content: |
Log files from rabbitmq containers can be found under
/var/log/containers/rabbitmq.
ignore_errors: true
upgrade_tasks:
- when: step|int == 0
tags: common
block:
- name: Check if rabbitmq server is deployed
command: systemctl is-enabled --quiet rabbitmq-server
ignore_errors: True
register: rabbitmq_enabled_result
- name: Set fact rabbitmq_enabled
set_fact:
rabbitmq_enabled: "{{ rabbitmq_enabled_result.rc == 0 }}"
- when: step|int == 2
block:
- name: Stop and disable rabbitmq service
when: rabbitmq_enabled|bool
service: name=rabbitmq-server state=stopped enabled=no
# TODO: Removal of package
update_tasks:
# TODO: Are we sure we want to support this. Rolling update
# without pacemaker may fail. Do we test this ? In any case,
# this is under paunch control so the latest image should be
# pulled in by the deploy steps. Same question for other
# usually managed by pacemaker container.
View Git Blame Copy Permalink