tripleo-heat-templates/deployment/memcached/memcached-container-puppet.yaml
Takashi Kajinami 073e581e62 Enable debug of memcached when Debug is enabled
This restores the previous behavior changed by recent refactoring about
the *Debug parameters, and ensures that the global Debug parameter also
affects memcached logging.

Closes-Bug: #1940303
Change-Id: I5b8c71793476dd7673015928254d8fa8b499351d
2021-08-17 23:20:10 +09:00

378 lines
15 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Memcached services
parameters:
ContainerMemcachedImage:
description: image
type: string
ContainerMemcachedConfigImage:
description: The container image to use for the memcached config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MemcachedMaxMemory:
default: '50%'
description: The maximum amount of memory for memcached to be configured
to use when installed. This can be either a percentage ('50%')
or a fixed value ('2048').
type: string
MemcachedMaxConnections:
default: 8192
description: The maximum number of connections to be accepted by memcached
type: number
MonitoringSubscriptionMemcached:
default: 'overcloud-memcached'
type: string
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
MemcachedDebug:
default: false
description: Set to True to enable debugging Memcached service.
type: boolean
MemcachedIpSubnet:
default: ''
description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork
will be taken. Useful in the case where an operator wants to open Memcached outside
of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous.
type: string
MemcachedPort:
default: 11211
description: Port to have Memcached listening at.
When using MemcachedTLS, this has to be set to a different
port then the default - see below.
type: number
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MemcachedCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
# NOTE: A non-tls port is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
enable_non_tls_port:
and:
- {get_param: MemcachedTLS}
- not: {equals: [{get_param: MemcachedPort}, 11211]}
memcached_network_set:
not: {equals : [{get_param: MemcachedIpSubnet}, '']}
memcached_debug:
or:
- {get_param: Debug}
- {get_param: MemcachedDebug}
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
- 6
key_size_override_set:
not: {equals: [{get_param: MemcachedCertificateKeySize}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Memcached API role.
value:
service_name: memcached
firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_set
- '121 memcached':
dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
proto: 'tcp'
source: <%net_cidr%>
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings:
map_merge:
- memcached::listen:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
list_concat:
- - if:
- is_ipv6
- '::1'
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- enable_non_tls_port
- - str_replace:
template:
"notls:%{hiera('$NETWORK_uri')}:11211"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- is_ipv6
- 'notls:[::1]:11211'
- 'notls:127.0.0.1:11211'
# NOTE(xek): the IP addresses are configured with:
# memcached::listen - the new way
# memcached::listen_ip - will be deprecated
# see: https://github.com/saz/puppet-memcached/pull/127
memcached::listen_ip:
- if:
- is_ipv6
- '::1'
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::listen_ip_uri:
- if:
- is_ipv6
- '::1'
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::tcp_port: {get_param: MemcachedPort}
memcached::max_connections: {get_param: MemcachedMaxConnections}
memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
memcached::udp_port: 0
memcached::verbosity:
list_join:
- ''
- - 'v'
- if:
- memcached_debug
- 'v'
- ''
memcached::disable_cachedump: true
memcached::logstdout: true
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
- if:
- {get_param: MemcachedTLS}
- tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
tripleo::profile::base::memcached::certificate_specs:
service_certificate: '/etc/pki/tls/certs/memcached.crt'
service_key: '/etc/pki/tls/private/memcached.key'
service_config_settings:
collectd:
tripleo.collectd.plugins.memcached:
- memcached
collectd::plugin::memcached::instances:
local:
host: "%{hiera('memcached::listen_ip_uri')}"
port: # collectd has no support to Memcached+TLS yet.
- if:
- enable_non_tls_port
- 11211
- {get_param: MemcachedPort}
global_config_settings:
# NOTE: This config is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
if:
- enable_non_tls_port
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: 11211
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: {get_param: MemcachedPort}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: 'memcached'
puppet_tags: 'file'
step_config: |
include tripleo::profile::base::memcached
config_image: {get_param: ContainerMemcachedConfigImage}
kolla_config:
/var/lib/kolla/config_files/memcached.json:
command: bash -c $* -- eval source /etc/sysconfig/memcached; exec /usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS >> /var/log/memcached/memcached.log 2>&1
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/memcached
owner: memcached:memcached
recurse: true
- path: /etc/pki/tls/certs/memcached.crt
owner: memcached:memcached
optional: true
- path: /etc/pki/tls/private/memcached.key
owner: memcached:memcached
optional: true
docker_config:
step_1:
memcached:
start_order: 0
image: {get_param: ContainerMemcachedImage}
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
- /var/log/containers/memcached:/var/log/memcached:rw
- if:
- {get_param: MemcachedTLS}
- - /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
if:
- {get_param: MemcachedTLS}
- - service: memcached
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
type: node
deploy_steps_tasks:
if:
- {get_param: MemcachedTLS}
- - name: Certificate generation
when: step|int == 1
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: memcached
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
principal:
str_replace:
template: "memcached/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep memcached)
service_crt="/etc/pki/tls/certs/memcached.crt"
service_key="/etc/pki/tls/private/memcached.key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_crt"
{{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_key"
# Send refresh_certs command to memcached to read the new certificate
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen_ip.0 127.0.0.1)"
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port
key_size:
if:
- key_size_override_set
- {get_param: MemcachedCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/memcached, 'setype': container_file_t, 'mode': '0750' }
upgrade_tasks: []
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop memcached container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- memcached
tripleo_delegate_to: "{{ groups['memcached'] | default([]) }}"