40467b0f3f
The pre-upgrade validation tasks in the containerized services made
sense when upgrading from non-containerized to containerized overcloud
(ocata to pike), however we kept them for queens and rocky
release thinking about using them during the undercloud upgrade from
non-containerized to containerized (queens to rocky) but they
were skipped there too [0]. It's beeing observed in the current
upgrades taken place by operators, that these validations are
causing more issues than it was thought, so let's get rid of
them from all the containerized services in Queens and Rocky.
Closes-Bug: #1829858
[0] - https://github.com/openstack/python-tripleoclient/blob/stable/rocky/tripleoclient/v1/tripleo_deploy.py#L833
Change-Id: If99ea62b6cefb140a9c918b8f6a774658c52d54b
(cherry picked from commit 7e0a4d0e52
)
252 lines
9.6 KiB
YAML
252 lines
9.6 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack containerized Rabbitmq service
|
|
|
|
parameters:
|
|
DockerRabbitmqImage:
|
|
description: image
|
|
type: string
|
|
DockerRabbitmqConfigImage:
|
|
description: The container image to use for the rabbitmq config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
RabbitCookie:
|
|
type: string
|
|
default: ''
|
|
hidden: true
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
RabbitmqBase:
|
|
type: ../../puppet/services/rabbitmq.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Rabbitmq API role.
|
|
value:
|
|
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
|
# RabbitMQ plugins initialization occurs on every node
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [RabbitmqBase, role_data, config_settings]}
|
|
- rabbitmq::admin_enable: false
|
|
- if:
|
|
- internal_tls_enabled
|
|
- tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here
|
|
- {}
|
|
logging_source: {get_attr: [RabbitmqBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [RabbitmqBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: rabbitmq
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
|
|
- get_attr: [RabbitmqBase, role_data, step_config]
|
|
config_image: &rabbitmq_config_image {get_param: DockerRabbitmqConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/rabbitmq.json:
|
|
command: /usr/lib/rabbitmq/bin/rabbitmq-server
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/rabbitmq
|
|
owner: rabbitmq:rabbitmq
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/rabbitmq.crt
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
- path: /etc/pki/tls/private/rabbitmq.key
|
|
owner: rabbitmq:rabbitmq
|
|
optional: true
|
|
docker_config:
|
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
|
step_1:
|
|
rabbitmq_init_logs:
|
|
start_order: 0
|
|
detach: false
|
|
image: &rabbitmq_image {get_param: DockerRabbitmqImage}
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
|
|
rabbitmq_bootstrap:
|
|
start_order: 1
|
|
detach: false
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
- KOLLA_BOOTSTRAP=True
|
|
-
|
|
list_join:
|
|
- '='
|
|
- - 'RABBITMQ_CLUSTER_COOKIE'
|
|
-
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: RabbitCookie}
|
|
- {get_param: [DefaultPasswords, rabbit_cookie]}
|
|
rabbitmq:
|
|
start_order: 2
|
|
image: *rabbitmq_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
|
|
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
docker_puppet_tasks:
|
|
# RabbitMQ users and policies initialization occurs only on single node
|
|
step_1:
|
|
config_volume: 'rabbit_init_tasks'
|
|
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
|
|
step_config: 'include ::tripleo::profile::base::rabbitmq'
|
|
config_image: *rabbitmq_config_image
|
|
volumes:
|
|
- /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
|
|
- /var/lib/rabbitmq:/var/lib/rabbitmq:ro
|
|
metadata_settings:
|
|
get_attr: [RabbitmqBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
setype: "{{ item.setype }}"
|
|
state: directory
|
|
with_items:
|
|
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/rabbitmq, 'setype': svirt_sandbox_file_t }
|
|
- name: rabbitmq logs readme
|
|
copy:
|
|
dest: /var/log/rabbitmq/readme.txt
|
|
content: |
|
|
Log files from rabbitmq containers can be found under
|
|
/var/log/containers/rabbitmq.
|
|
ignore_errors: true
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check if rabbitmq server is deployed
|
|
command: systemctl is-enabled --quiet rabbitmq-server
|
|
ignore_errors: True
|
|
register: rabbitmq_enabled_result
|
|
- name: Set fact rabbitmq_enabled
|
|
set_fact:
|
|
rabbitmq_enabled: "{{ rabbitmq_enabled_result.rc == 0 }}"
|
|
- when: step|int == 2
|
|
block:
|
|
- name: Stop and disable rabbitmq service
|
|
when: rabbitmq_enabled|bool
|
|
service: name=rabbitmq-server state=stopped enabled=no
|
|
# TODO: Removal of package
|
|
update_tasks:
|
|
# TODO: Are we sure we want to support this. Rolling update
|
|
# without pacemaker may fail. Do we test this ? In any case,
|
|
# this is under paunch control so the latest image should be
|
|
# pulled in by the deploy steps. Same question for other
|
|
# usually managed by pacemaker container.
|