096fa87741
Previously the kolla config is merging the existing apache configuration files in the container with our generated ones. This can lead to extra configurations in the containers that we are not expecting. This change updates the kolla configs to not merge the httpd conf.d folder so we only end up with our expected configurations. Change-Id: Ibb9bbeb12e73b2cf8887554f461873e42532edd7 Related-Bug: 1813084
231 lines
8.8 KiB
YAML
231 lines
8.8 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
DockerHorizonImage:
|
|
description: image
|
|
type: string
|
|
DockerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
HorizonBase:
|
|
type: ../../puppet/services/horizon.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: {get_attr: [HorizonBase, role_data, service_name]}
|
|
config_settings: {get_attr: [HorizonBase, role_data, config_settings]}
|
|
service_config_settings: {get_attr: [HorizonBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: {get_attr: [HorizonBase, role_data, step_config]}
|
|
config_image: {get_param: DockerHorizonConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_param: DockerHorizonImage}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/www/:/var/www/:ro
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- ''
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- ''
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
# Installed plugins:
|
|
- ENABLE_CLOUDKITTY=no
|
|
- ENABLE_IRONIC=yes
|
|
- ENABLE_MAGNUM=no
|
|
- ENABLE_MANILA=no
|
|
- ENABLE_HEAT=yes
|
|
# murano depends on heat-dashboard that is not yet installed
|
|
# https://bugs.launchpad.net/tripleo/+bug/1752132
|
|
- ENABLE_MURANO=no
|
|
- ENABLE_MISTRAL=yes
|
|
- ENABLE_NEUTRON_LBAAS=yes
|
|
- ENABLE_OCTAVIA=yes
|
|
- ENABLE_SAHARA=yes
|
|
- ENABLE_TROVE=no
|
|
# Not installed:
|
|
- ENABLE_FREEZER=no
|
|
- ENABLE_FWAAS=no
|
|
- ENABLE_KARBOR=no
|
|
- ENABLE_DESIGNATE=no
|
|
- ENABLE_SEARCHLIGHT=no
|
|
- ENABLE_SENLIN=no
|
|
- ENABLE_SOLUM=no
|
|
- ENABLE_TACKER=no
|
|
- ENABLE_WATCHER=no
|
|
- ENABLE_ZAQAR=no
|
|
- ENABLE_ZUN=no
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/horizon, 'setype': svirt_sandbox_file_t }
|
|
- name: horizon logs readme
|
|
copy:
|
|
dest: /var/log/horizon/readme.txt
|
|
content: |
|
|
Log files from horizon containers can be found under
|
|
/var/log/containers/horizon and /var/log/containers/httpd/horizon.
|
|
ignore_errors: true
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check for horizon running under apache
|
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q horizon_vhost"
|
|
ignore_errors: True
|
|
register: horizon_httpd_enabled_result
|
|
- set_fact:
|
|
horizon_httpd_enabled: "{{ horizon_httpd_enabled_result.rc == 0 }}"
|
|
- name: Check if httpd is running
|
|
command: systemctl is-active --quiet httpd
|
|
ignore_errors: True
|
|
register: httpd_running_result
|
|
when: httpd_running is undefined
|
|
- name: Set fact httpd_running
|
|
set_fact:
|
|
httpd_running: "{{ httpd_running_result.rc == 0 }}"
|
|
when: httpd_running is undefined
|
|
- name: "PreUpgrade step0,validation: Check if horizon is running"
|
|
shell: systemctl is-active --quiet httpd
|
|
when:
|
|
- horizon_httpd_enabled|bool
|
|
- httpd_running|bool
|
|
tags: validation
|
|
- name: Stop and disable horizon service (running under httpd)
|
|
when:
|
|
- step|int == 2
|
|
- httpd_running|bool
|
|
service: name=httpd state=stopped enabled=no
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- horizon
|
|
metadata_settings:
|
|
get_attr: [HorizonBase, role_data, metadata_settings]
|