tripleo-heat-templates/deployment/horizon/horizon-container-puppet.yaml
Takashi Kajinami a75cc9a953 Use /var/tmp on host to store temporal files for image upload via Horizon
Previously we use /tmp inside horizon container to store temporal files
for image upload via Horizon, but this makes the image size grow for
each upload operation.

This patch makes sure that we use host directory to store temporal
file, so that it is not written inside container.

Change-Id: Ic32e7a2db83bb5a0fb3c69708be9be96435dd030
Closes-Bug: 1840607
2019-08-19 13:36:17 +09:00

357 lines
13 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Horizon service
parameters:
ContainerHorizonImage:
description: image
type: string
ContainerHorizonConfigImage:
description: The container image to use for the horizon config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
TimeZone:
default: 'UTC'
description: The timezone to be set on the overcloud.
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
horizon::timezone: {get_param: TimeZone}
horizon::file_upload_temp_dir: '/var/tmp'
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
service_config_settings:
keystone:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: |
include ::tripleo::profile::base::horizon
config_image: {get_param: ContainerHorizonConfigImage}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
# horizon:horizon - the policy.json files need read permissions for the apache user
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
- path: /etc/openstack-dashboard/
owner: apache:apache
recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache
recurse: false
# FIXME Our theme settings are there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
owner: apache:apache
recurse: false
docker_config:
step_2:
horizon_fix_perms:
image: &horizon_image {get_param: ContainerHorizonImage}
net: none
user: root
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
# otherwise it's created by root when generating django cache.
# FIXME Apache needs to read files in /etc/openstack-dashboard
# Need to set permissions to match the BM case,
# http://paste.openstack.org/show/609819/
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
volumes:
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
step_3:
horizon:
image: *horizon_image
net: host
privileged: false
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/tmp/:/var/tmp/:z
- /var/www/:/var/www/:ro
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
# Installed plugins:
- ENABLE_CLOUDKITTY=no
- ENABLE_IRONIC=yes
- ENABLE_MAGNUM=no
- ENABLE_MANILA=yes
- ENABLE_HEAT=yes
# murano depends on heat-dashboard that is not yet installed
# https://bugs.launchpad.net/tripleo/+bug/1752132
- ENABLE_MURANO=no
- ENABLE_MISTRAL=yes
- ENABLE_OCTAVIA=yes
- ENABLE_SAHARA=yes
- ENABLE_TROVE=no
# Not installed:
- ENABLE_FREEZER=no
- ENABLE_FWAAS=no
- ENABLE_KARBOR=no
- ENABLE_DESIGNATE=no
- ENABLE_SEARCHLIGHT=no
- ENABLE_SENLIN=no
- ENABLE_SOLUM=no
- ENABLE_TACKER=no
- ENABLE_WATCHER=no
- ENABLE_ZAQAR=no
- ENABLE_ZUN=no
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/horizon, 'setype': svirt_sandbox_file_t }
- name: horizon logs readme
copy:
dest: /var/log/horizon/readme.txt
content: |
Log files from horizon containers can be found under
/var/log/containers/horizon and /var/log/containers/httpd/horizon.
ignore_errors: true
upgrade_tasks: []
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- horizon
tripleo_container_cli: "docker"
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop horizon container
import_role:
name: tripleo-container-stop
vars:
tripleo_containers_to_stop:
- horizon
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"