openstack/tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/puppet/services/docker.yaml
Bogdan Dobrelya 8f4738362a Rework neutron/own agent wrapper tools for podman 
Add ContainerCli parameter, default to docker. Possible values:
podman/docker (default).

Deprecate DockerAdditionalSockets so it does nothing for podman.
Nested podman CLI replaces docker sockets. Only bind mount
/var/lib/openstack for the neutron/ovn agents for docker.

Support debug messages for Neutron/OVN wrappers controled via
NeutronWrapperDebug and OWNWrapperDebug (defaults to False). Or
globally controlled by Debug.

Make the wrapper containers managed by its parent processes and
not exited/removed forcibly, when the parent container restarts.

Background for podman CLI replacing the docker socket:

We'll use 'nsenter -m -n -p -t 1 podman' in wrappers
to execute podman in the same namespaces as on the host
and to NOT bind-mount world for that, like:
- /sys/fs/cgroup:/sys/fs/cgroup
- /run/libpod:/run/libpod
- /run/containers:/run/containers
- /run/runc:/run/runc
- /run/runc-ctrs:/run/runc-ctrs
- /var/lib/containers:/var/lib/containers
- /etc/containers:/etc/containers:ro
- /usr/bin/podman:/usr/bin/podman:ro
- /usr/bin/runc:/usr/bin/runc:ro
- /usr/libexec/podman/conmon:/usr/libexec/podman/conmon:ro
- /usr/lib64/libseccomp.so.2:/usr/lib64/libseccomp.so.2:ro
...

We cannot use chroot /host instead as there is more bind-mounts to use
outside of the /host chroot. Maybe varlink is a good replacement for
all of that, but it's not there yet.

Change-Id: I055fb7a5fd20932c5bee665bb96678f3ae92bffe
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-11-07 09:48:40 +01:00

134 lines
4.9 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Configures docker on the host
parameters:
DockerInsecureRegistryAddress:
description: Optional. The IP Address and Port of an insecure docker
namespace that will be configured in /etc/sysconfig/docker.
The value can be multiple addresses separated by commas.
type: comma_delimited_list
default: []
DockerRegistryMirror:
description: Optional. Mirror to use for registry docker.io
default: ''
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
Debug:
type: boolean
default: false
description: Set to True to enable debugging on all services.
DockerDebug:
default: ''
description: Set to True to enable debugging Docker services.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
DockerOptions:
default: '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
description: Options that are used to startup the docker service.
type: string
DockerAdditionalSockets:
default: ['/var/lib/openstack/docker.sock']
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
into containers that launch other containers)
type: comma_delimited_list
DockerNetworkOptions:
default: '--bip=172.31.0.1/24'
description: More startup options, like CIDR for the default docker0 bridge (useful for the
network configuration conflicts resolution)
type: string
DeploymentUser:
default: ''
description: User added to the docker group in order to use container commands.
type: string
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- DockerAdditionalSockets
conditions:
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
service_debug_unset: {equals : [{get_param: DockerDebug}, '']}
outputs:
role_data:
description: Role data for the docker service
value:
service_name: docker
config_settings: {}
step_config: ''
host_prep_tasks:
- name: Install, Configure and Run Docker
block:
# NOTE(bogdando): w/a https://github.com/ansible/ansible/issues/42621
- set_fact: &docker_vars
container_registry_debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: DockerDebug}
container_registry_deployment_user: {get_param: DeploymentUser}
container_registry_docker_options: {get_param: DockerOptions}
container_registry_additional_sockets: {get_param: DockerAdditionalSockets}
container_registry_insecure_registries:
if:
- insecure_registry_is_empty
- []
- {get_param: DockerInsecureRegistryAddress}
container_registry_mirror: {get_param: DockerRegistryMirror}
container_registry_network_options: {get_param: DockerNetworkOptions}
- include_role:
name: container-registry
tasks_from: docker
service_config_settings:
neutron_l3:
docker_additional_sockets: {get_param: DockerAdditionalSockets}
neutron_dhcp:
docker_additional_sockets: {get_param: DockerAdditionalSockets}
ovn_metadata:
docker_additional_sockets: {get_param: DockerAdditionalSockets}
upgrade_tasks:
- name: Install docker packages on upgrade if missing
when: step|int == 3
package: name=docker state=latest
update_tasks:
- name: Restart Docker when needed
when: step|int == 2
block:
- set_fact: *docker_vars
- include_role:
name: container-registry
tasks_from: docker-update
View Git Blame Copy Permalink