tripleo-heat-templates/docker/services/horizon.yaml
Alex Schultz 096fa87741 Explicitly manage http configs
Previously the kolla config is merging the existing apache configuration
files in the container with our generated ones. This can lead to extra
configurations in the containers that we are not expecting. This change
updates the kolla configs to not merge the httpd conf.d folder so we only
end up with our expected configurations.

Change-Id: Ibb9bbeb12e73b2cf8887554f461873e42532edd7
Related-Bug: 1813084
2019-01-24 11:08:28 -07:00

231 lines
8.8 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Horizon service
parameters:
DockerHorizonImage:
description: image
type: string
DockerHorizonConfigImage:
description: The container image to use for the horizon config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ./containers-common.yaml
HorizonBase:
type: ../../puppet/services/horizon.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: {get_attr: [HorizonBase, role_data, service_name]}
config_settings: {get_attr: [HorizonBase, role_data, config_settings]}
service_config_settings: {get_attr: [HorizonBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: {get_attr: [HorizonBase, role_data, step_config]}
config_image: {get_param: DockerHorizonConfigImage}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
# horizon:horizon - the policy.json files need read permissions for the apache user
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
- path: /etc/openstack-dashboard/
owner: apache:apache
recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache
recurse: false
# FIXME Our theme settings are there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
owner: apache:apache
recurse: false
docker_config:
step_2:
horizon_fix_perms:
image: &horizon_image {get_param: DockerHorizonImage}
net: none
user: root
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
# otherwise it's created by root when generating django cache.
# FIXME Apache needs to read files in /etc/openstack-dashboard
# Need to set permissions to match the BM case,
# http://paste.openstack.org/show/609819/
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
volumes:
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
step_3:
horizon:
image: *horizon_image
net: host
privileged: false
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/www/:/var/www/:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
# Installed plugins:
- ENABLE_CLOUDKITTY=no
- ENABLE_IRONIC=yes
- ENABLE_MAGNUM=no
- ENABLE_MANILA=no
- ENABLE_HEAT=yes
# murano depends on heat-dashboard that is not yet installed
# https://bugs.launchpad.net/tripleo/+bug/1752132
- ENABLE_MURANO=no
- ENABLE_MISTRAL=yes
- ENABLE_NEUTRON_LBAAS=yes
- ENABLE_OCTAVIA=yes
- ENABLE_SAHARA=yes
- ENABLE_TROVE=no
# Not installed:
- ENABLE_FREEZER=no
- ENABLE_FWAAS=no
- ENABLE_KARBOR=no
- ENABLE_DESIGNATE=no
- ENABLE_SEARCHLIGHT=no
- ENABLE_SENLIN=no
- ENABLE_SOLUM=no
- ENABLE_TACKER=no
- ENABLE_WATCHER=no
- ENABLE_ZAQAR=no
- ENABLE_ZUN=no
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/horizon, 'setype': svirt_sandbox_file_t }
- name: horizon logs readme
copy:
dest: /var/log/horizon/readme.txt
content: |
Log files from horizon containers can be found under
/var/log/containers/horizon and /var/log/containers/httpd/horizon.
ignore_errors: true
upgrade_tasks:
- when: step|int == 0
tags: common
block:
- name: Check for horizon running under apache
shell: "httpd -t -D DUMP_VHOSTS | grep -q horizon_vhost"
ignore_errors: True
register: horizon_httpd_enabled_result
- set_fact:
horizon_httpd_enabled: "{{ horizon_httpd_enabled_result.rc == 0 }}"
- name: Check if httpd is running
command: systemctl is-active --quiet httpd
ignore_errors: True
register: httpd_running_result
when: httpd_running is undefined
- name: Set fact httpd_running
set_fact:
httpd_running: "{{ httpd_running_result.rc == 0 }}"
when: httpd_running is undefined
- name: "PreUpgrade step0,validation: Check if horizon is running"
shell: systemctl is-active --quiet httpd
when:
- horizon_httpd_enabled|bool
- httpd_running|bool
tags: validation
- name: Stop and disable horizon service (running under httpd)
when:
- step|int == 2
- httpd_running|bool
service: name=httpd state=stopped enabled=no
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- horizon
metadata_settings:
get_attr: [HorizonBase, role_data, metadata_settings]