openstack/tripleo-heat-templates
Code Issues Proposed changes
3e983806e0
tripleo-heat-templates/deployment/cinder/cinder-api-container-puppet.yaml

457 lines
17 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Cinder API service
parameters:
ContainerCinderApiImage:
description: image
type: string
tags:
- role_specific
ContainerCinderConfigImage:
description: The container image to use for the cinder config_volume
type: string
tags:
- role_specific
CinderApiLoggingSource:
type: json
default:
tag: openstack.cinder.api
file: /var/log/containers/cinder/cinder-api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
CinderDefaultVolumeType:
default: tripleo
description: The name of Cinder's default volume type.
type: string
constraints:
- allowed_pattern: ".*\\S.*"
description: >
The default volume type name cannot be empty.
CinderEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Cinder database.
type: boolean
CinderPassword:
description: The password for the cinder service and db account.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionCinderApi:
default: 'overcloud-cinder-api'
type: string
CinderWorkers:
type: string
description: Set the number of workers for cinder::wsgi::apache
default: '%{::os_workers}'
CinderApiPolicies:
description: |
A hash of policies to configure for Cinder API.
e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
CinderApiWsgiTimeout:
default: 60
description: The number of seconds until a Cinder API WSGI connection times out.
type: number
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
RootStackName:
description: The name of the stack/plan.
type: string
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
AuthCloudName:
description: Entry in clouds.yaml to use for authentication
type: string
default: ""
conditions:
auth_cloud_name_set:
not: {equals: [{get_param: AuthCloudName}, ""]}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
CinderBase:
type: ./cinder-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CinderCommon:
type: ./cinder-common-container-puppet.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerCinderApiImage: ContainerCinderApiImage
ContainerCinderConfigImage: ContainerCinderConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerCinderApiImage: {get_param: ContainerCinderApiImage}
ContainerCinderConfigImage: {get_param: ContainerCinderConfigImage}
outputs:
role_data:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
firewall_rules:
'119 cinder':
dport:
- 8776
firewall_frontend_rules:
'100 cinder_haproxy_frontend':
dport:
- 8776
firewall_ssl_frontend_rules:
'100 cinder_haproxy_frontend_ssl':
dport:
- 13776
keystone_resources:
cinder:
users:
cinder:
password: {get_param: CinderPassword}
roles:
- admin
- service
cinderv3:
endpoints:
public: {get_param: [EndpointMap, CinderV3Public, uri]}
internal: {get_param: [EndpointMap, CinderV3Internal, uri]}
admin: {get_param: [EndpointMap, CinderV3Admin, uri]}
users:
cinderv3:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev3'
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone_resources_managed: false
- cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
cinder::keystone::authtoken::interface: 'internal'
cinder::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::notification_driver: {get_param: NotificationDriver}
cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}
cinder::api::enable_proxy_headers_parsing: true
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
cinder::api::bind_host:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::access_log_format: 'forwarded'
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
cinder::wsgi::apache::bind_host:
str_replace:
template:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::servername:
str_replace:
template:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::vhost_custom_fragment:
str_replace:
template:
"Timeout TIMEOUT"
params:
TIMEOUT: {get_param: CinderApiWsgiTimeout}
cinder::wsgi::apache::workers: {get_param: CinderWorkers}
cinder::api::sync_db: false
service_config_settings:
rsyslog:
tripleo_logging_sources_cinder_api:
- {get_param: CinderApiLoggingSource}
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
cinder::db::mysql::host: '%'
cinder::db::mysql::dbname: cinder
horizon:
horizon::policy::cinder_policies: {get_param: CinderApiPolicies}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: cinder
puppet_tags: cinder_config,file,concat,file_line,cinder_api_paste_ini
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::cinder::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerCinderConfigImage]}
kolla_config:
/var/lib/kolla/config_files/cinder_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files: &cinder_api_config_files
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: &cinder_api_permissions
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_db_sync.json:
command: "/usr/bin/bootstrap_host_exec cinder_api su cinder -s /bin/bash -c 'cinder-manage db sync --bump-versions'"
config_files: *cinder_api_config_files
permissions: *cinder_api_permissions
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
docker_config:
step_2:
cinder_api_init_logs:
image: &cinder_api_image {get_attr: [RoleParametersValue, value, ContainerCinderApiImage]}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
step_3:
cinder_api_db_sync:
image: *cinder_api_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/cinder_api_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
- /var/log/containers/cinder:/var/log/cinder:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
cinder_api:
image: *cinder_api_image
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'cinder', we need it
# to be root to run httpd
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [CinderCommon, cinder_common_volumes]}
- - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
cinder_api_cron:
image: *cinder_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: '/usr/share/openstack-tripleo-common/healthcheck/cron cinder'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/cinder-api, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when: step|int == 1
block: &cinder_online_db_migration
- name: Online data migration for Cinder
command: "{{ container_cli }} exec cinder_api cinder-manage db online_data_migrations"
delegate_to: "{{ (groups['cinder_api'] | difference(groups['excluded_overcloud']))[0] }}"
become: true
tags:
- online_upgrade
- online_upgrade_cinder
- when: step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop cinder api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- cinder_api
- cinder_api_cron
tripleo_delegate_to: "{{ groups['cinder_api'] | difference(groups['excluded_overcloud']) }}"
external_update_tasks:
- when: step|int == 1
block: *cinder_online_db_migration
external_deploy_tasks:
- name: Manage Cinder's default volume type
become: true
vars:
default_volume_type: {get_param: CinderDefaultVolumeType}
environment:
OS_CLOUD:
if:
- auth_cloud_name_set
- {get_param: AuthCloudName}
- {get_param: RootStackName}
when:
- step|int == 5
- not ansible_check_mode|bool
shell: |
if ! openstack volume type show "{{ default_volume_type }}"; then
openstack volume type create --public "{{ default_volume_type }}"
fi
eval $(openstack volume type show __DEFAULT__ -f shell -c id -c description)
if [ -n "$id" ]; then
vols=$(openstack volume list -f value -c ID)
tripleo_descr="For internal use, '{{ default_volume_type }}' is the default volume type"
if [ -z "$vols" ]; then
openstack volume type delete $id
elif [ "$description" != "$tripleo_descr" ]; then
openstack volume type set $id --description "$tripleo_descr"
fi
fi
args:
executable: /bin/bash
changed_when: false
View Git Blame Copy Permalink