openstack/tripleo-heat-templates
Code Issues Proposed changes
4dca2a4834
tripleo-heat-templates/deployment/glance/glance-api-container-puppet.yaml
Alan Bishop 48fd886a03 Distribute iscsid.conf to all containers using iscsi 
This patch updates the way files related to iscsi are distributed
to the cinder, glance and nova containers that use the protocol.

Previously it was thought that only the iscsid container needs
access to /etc/iscsi/iscsid.conf, but the LP bug reveals the client
side also reads the file in order to determine the list of chap
algorithms to offer when initiating an iscsi connection.

The bug was exposed when testing a secure environment that uses a
non-default list of chap algorithms. The iscsid container was using
the customized list, but the client containers (e.g. nova) were
using the default list, which caused iscsid to reject connections.

Closes-Bug: #1932181
Change-Id: Iad255451726867dc172404513fdac4ad0599c4c0
2021-06-16 10:30:05 -07:00

840 lines
34 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack Glance service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
GlanceDebug:
default: false
description: Set to True to enable debugging Glance service.
type: boolean
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
GlancePassword:
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
GlanceWorkers:
default: ''
description: |
Number of API worker processes for Glance. If left unset (empty string), the
default value will result in the configuration being left unset and a
system-dependent default value will be chosen (e.g.: number of
processors). Please note that this will create a large number of
processes on systems with a large number of CPUs resulting in excess
memory consumption. It is recommended that a suitable non-default value
be selected on such systems.
type: string
MonitoringSubscriptionGlanceApi:
default: 'overcloud-glance-api'
type: string
GlanceApiLoggingSource:
type: json
default:
tag: openstack.glance.api
file: /var/log/containers/glance/api.log
GlanceImageMemberQuota:
default: 128
description: |
Maximum number of image members per image.
Negative values evaluate to unlimited.
type: number
GlanceNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', mount NFS share for image storage.
type: boolean
GlanceCacheEnabled:
description: Enable Glance Image Cache
type: boolean
default: False
GlanceImageCacheDir:
description: Base directory that the Image Cache uses
type: string
default: '/var/lib/glance/image-cache'
GlanceImageCacheMaxSize:
description: >
The upper limit on cache size, in bytes, after which the cache-pruner
cleans up the image cache.
type: number
default: 10737418240
GlanceImageCacheStallTime:
description: >
The amount of time, in seconds, to let an image remain in the cache
without being accessed.
type: number
default: 86400
GlanceImagePrefetcherInterval:
description: >
The interval in seconds to run periodic job cache_images.
type: number
default: 300
GlanceNfsShare:
default: ''
description: >
NFS share to mount for image storage (when GlanceNfsEnabled is true)
type: string
GlanceNetappNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
type: boolean
NetappShareLocation:
default: ''
description: >
Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
type: string
GlanceNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
description: >
NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string
GlanceRbdPoolName:
default: images
type: string
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
GlanceShowMultipleLocations:
default: false
description: |
Whether to show multiple image locations e.g for copy-on-write support on
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
type: boolean
# We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario
# in which the user purposely disabled all plugins setting it to an empty list. This is useful
# to automatically enable image_conversion plugin only when value is left to the default.
GlanceImageImportPlugins:
default: ['no_op']
description: >
List of enabled Image Import Plugins. Valid values in the list are
'image_conversion', 'inject_metadata', 'no_op'.
type: comma_delimited_list
GlanceDiskFormats:
default: ''
description: >
List of allowed disk formats in Glance; all formats are allowed when
left unset.
type: comma_delimited_list
GlanceImageConversionOutputFormat:
default: 'raw'
description: Desired output format for image conversion plugin.
type: string
GlanceInjectMetadataProperties:
default: ''
description: Metadata properties to be injected in image.
type: comma_delimited_list
GlanceIgnoreUserRoles:
default: 'admin'
description: List of user roles to be ignored for injecting image metadata properties.
type: comma_delimited_list
GlanceEnabledImportMethods:
default: 'web-download'
description: >
List of enabled Image Import Methods. Valid values in the list are
'glance-direct', 'web-download', or 'copy-image'
type: comma_delimited_list
GlanceStagingNfsShare:
default: ''
description: >
NFS share to mount for image import staging
type: string
GlanceNodeStagingUri:
default: 'file:///var/lib/glance/staging'
description: >
URI that specifies the staging location to use when importing images
type: string
GlanceStagingNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
description: >
NFS mount options for NFS image import staging
type: string
GlanceSparseUploadEnabled:
default: false
description: >
When using GlanceBackend 'file' and 'rbd' to enable or not sparse upload.
type: boolean
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
GlanceApiPolicies:
description: |
A hash of policies to configure for Glance API.
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
EnableInternalTLS:
type: boolean
default: false
GlanceNotifierStrategy:
description: Strategy to use for Glance notification queue
type: string
default: noop
GlanceLogFile:
description: The filepath of the file to use for logging messages from Glance.
type: string
default: ''
GlanceBackend:
default: swift
description: The short name of the Glance backend to use. Should be one
of swift, rbd, cinder, or file
type: string
constraints:
- allowed_values: ['swift', 'file', 'rbd', 'cinder']
GlanceBackendID:
type: string
default: 'default_backend'
description: The default backend's identifier.
constraints:
- allowed_pattern: "[a-zA-Z0-9_-]+"
GlanceStoreDescription:
type: string
default: 'Default glance store backend.'
description: User facing description for the Glance backend.
GlanceMultistoreConfig:
type: json
default: {}
description: |
Dictionary of settings when configuring additional glance backends. The
hash key is the backend ID, and the value is a dictionary of parameter
values unique to that backend. Multiple rbd and cinder backends are allowed, but
file and swift backends are limited to one each. Example:
# Default glance store is rbd.
GlanceBackend: rbd
GlanceStoreDescription: 'Default rbd store'
# GlanceMultistoreConfig specifies a second rbd backend, plus a cinder
# backend.
GlanceMultistoreConfig:
rbd2_store:
GlanceBackend: rbd
GlanceStoreDescription: 'Second rbd store'
CephClusterName: ceph2
# Override CephClientUserName if this cluster uses a different
# client name.
CephClientUserName: client2
cinder1_store:
GlanceBackend: cinder
GlanceCinderVolumeType: 'volume-type-1'
GlanceStoreDescription: 'First cinder store'
cinder2_store:
GlanceBackend: cinder
GlanceCinderVolumeType: 'volume-type-2'
GlanceStoreDescription: 'Seconde cinder store'
GlanceCinderMountPointBase:
default: '/var/lib/glance/mnt'
type: string
description: |
The mount point base when glance is using cinder as store and cinder backend
is NFS. This mount point is where the NFS volume is mounted on the glance node.
GlanceCinderVolumeType:
default: ''
type: string
description: |
A unique volume type required for each cinder store while configuring multiple cinder
stores as glance backends. The same volume types must be configured in Cinder as well.
The volume type must exist in cinder prior to any attempt to add an image in the associated
cinder store. If no volume type is specified then cinder's default volume type will be used.
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
CephConfigPath:
type: string
default: "/var/lib/tripleo-config/ceph"
description: |
The path where the Ceph Cluster config files are stored on the host.
MultipathdEnable:
default: false
description: Whether to enable the multipath daemon
type: boolean
GlanceApiOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
ContainerGlanceApiImage:
description: image
type: string
ContainerGlanceApiConfigImage:
description: The container image to use for the glance_api config_volume
type: string
GlanceCronDbPurgeMinute:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Minute
default: '1'
GlanceCronDbPurgeHour:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Hour
default: '0'
GlanceCronDbPurgeMonthday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month Day
default: '*'
GlanceCronDbPurgeMonth:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Month
default: '*'
GlanceCronDbPurgeWeekday:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Week Day
default: '*'
GlanceCronDbPurgeUser:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - User
default: 'glance'
GlanceCronDbPurgeAge:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Age
default: '30'
GlanceCronDbPurgeMaxRows:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Max Rows
default: '100'
GlanceCronDbPurgeDestination:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Log destination
default: '/var/log/glance/glance-rowsflush.log'
GlanceCronDbPurgeMaxDelay:
type: string
description: >
Cron to purge db entries marked as deleted and older than $age - Max Delay
default: '3600'
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
cinder_backend_enabled:
or:
- equals:
- get_param: GlanceBackend
- cinder
- yaql:
expression: $.data.values().any($.get("GlanceBackend", "") = "cinder")
data: {get_param: GlanceMultistoreConfig}
cinder_multipathd_enabled:
and:
- cinder_backend_enabled
- get_param: MultipathdEnable
rbd_backend_enabled:
or:
- equals:
- get_param: GlanceBackend
- rbd
- yaql:
expression: $.data.values().any($.get("GlanceBackend", "") = "rbd")
data: {get_param: GlanceMultistoreConfig}
force_image_conversion_plugin:
or:
- and:
- rbd_backend_enabled
- equals: [{get_param: GlanceImageImportPlugins}, ['no_op']]
- {get_param: NovaEnableRbdBackend}
- {get_param: GlanceSparseUploadEnabled}
glance_workers_set:
not: {equals : [{get_param: GlanceWorkers}, '']}
glance_multiple_locations:
or:
- {get_param: GlanceShowMultipleLocations}
- {get_param: GlanceNetappNfsEnabled}
- and:
# Keep this for compat, but ignore NovaEnableRbdBackend if it's a role param
- rbd_backend_enabled
- get_param: NovaEnableRbdBackend
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
GlanceLogging:
type: OS::TripleO::Services::Logging::GlanceApi
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Glance API role.
value:
service_name: glance_api
firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
keystone_resources:
glance:
endpoints:
public: {get_param: [EndpointMap, GlancePublic, uri]}
internal: {get_param: [EndpointMap, GlanceInternal, uri]}
admin: {get_param: [EndpointMap, GlanceAdmin, uri]}
users:
glance:
password: {get_param: GlancePassword}
region: {get_param: KeystoneRegion}
service: 'image'
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
- get_attr: [TLSProxyBase, role_data, config_settings]
- glance::api::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: glance
password: {get_param: GlancePassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /glance
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: glance
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false
glance::api::enable_v2_api: true
glance::api::authtoken::password: {get_param: GlancePassword}
glance::api::enable_proxy_headers_parsing: true
glance::api::logging::debug:
if:
- {get_param: GlanceDebug}
- true
- {get_param: Debug}
glance::policy::policies: {get_param: GlanceApiPolicies}
glance::api::authtoken::project_name: 'service'
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
glance::api::authtoken::user_domain_name: 'Default'
glance::api::authtoken::project_domain_name: 'Default'
glance::api::authtoken::interface: 'internal'
glance::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
glance::api::pipeline:
if:
- {get_param: GlanceCacheEnabled}
- 'keystone+cachemanagement'
- 'keystone'
glance::api::show_image_direct_url: true
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
glance::api::os_region_name: {get_param: KeystoneRegion}
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
glance::api::image_import_plugins:
if:
- force_image_conversion_plugin
- list_concat_unique:
- {get_param: GlanceImageImportPlugins}
- ['image_conversion']
- {get_param: GlanceImageImportPlugins}
glance::api::image_conversion_output_format: {get_param: GlanceImageConversionOutputFormat}
glance::api::inject_metadata_properties: {get_param: GlanceInjectMetadataProperties}
glance::api::ignore_user_roles: {get_param: GlanceIgnoreUserRoles}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_port:
get_param: [EndpointMap, GlanceInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLs
# proxy in front.
glance::api::bind_host:
if:
- {get_param: EnableInternalTLS}
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
glance_log_file: {get_param: GlanceLogFile}
glance::backend::rbd::rbd_thin_provisioning: {get_param: GlanceSparseUploadEnabled}
glance::backend::file::filesystem_thin_provisioning: {get_param: GlanceSparseUploadEnabled}
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
glance::backend::swift::swift_store_user: service:glance
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
glance::backend::swift::swift_store_create_container_on_put: true
glance::backend::swift::swift_store_auth_version: 3
glance::backend::rbd::rbd_store_ceph_conf:
list_join:
- ''
- - '/etc/ceph/'
- {get_param: CephClusterName}
- '.conf'
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
glance_backend: {get_param: GlanceBackend}
tripleo::profile::base::glance::api::glance_backend_id: {get_param: GlanceBackendID}
tripleo::profile::base::glance::api::glance_store_description: {get_param: GlanceStoreDescription}
tripleo::profile::base::glance::api::multistore_config: {get_param: GlanceMultistoreConfig}
tripleo::profile::base::glance::backend::rbd::glance_rbd_ceph_conf_path: {get_param: CephConfigPath}
glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver}
glance::cron::db_purge::minute: {get_param: GlanceCronDbPurgeMinute}
glance::cron::db_purge::hour: {get_param: GlanceCronDbPurgeHour}
glance::cron::db_purge::monthday: {get_param: GlanceCronDbPurgeMonthday}
glance::cron::db_purge::month: {get_param: GlanceCronDbPurgeMonth}
glance::cron::db_purge::weekday: {get_param: GlanceCronDbPurgeWeekday}
glance::cron::db_purge::user: {get_param: GlanceCronDbPurgeUser}
glance::cron::db_purge::age: {get_param: GlanceCronDbPurgeAge}
glance::cron::db_purge::max_rows: {get_param: GlanceCronDbPurgeMaxRows}
glance::cron::db_purge::destination: {get_param: GlanceCronDbPurgeDestination}
glance::cron::db_purge::maxdelay: {get_param: GlanceCronDbPurgeMaxDelay}
- if:
- glance_workers_set
- glance::api::workers: {get_param: GlanceWorkers}
- if:
- cinder_backend_enabled
- glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
glance::backend::cinder::cinder_store_project_name: 'service'
glance::backend::cinder::cinder_store_user_name: 'glance'
glance::backend::cinder::cinder_store_password: {get_param: GlancePassword}
tripleo::profile::base::glance::backend::cinder::cinder_mount_point_base: {get_param: GlanceCinderMountPointBase}
tripleo::profile::base::glance::backend::cinder::cinder_volume_type: {get_param: GlanceCinderVolumeType}
-
if:
- cinder_multipathd_enabled
- glance::backend::cinder::cinder_use_multipath: true
- if:
- {get_param: GlanceCacheEnabled}
- tripleo::profile::base::glance::api::glance_enable_cache: true
glance::api::image_cache_dir: {get_param: GlanceImageCacheDir}
glance::api::image_cache_max_size: {get_param: GlanceImageCacheMaxSize}
glance::api::image_cache_stall_time: {get_param: GlanceImageCacheStallTime}
glance::api::cache_prefetcher_interval: {get_param: GlanceImagePrefetcherInterval}
- if:
- {get_param: GlanceNetappNfsEnabled}
- tripleo::profile::base::glance::netapp::netapp_share: {get_param: NetappShareLocation}
glance::api::filesystem_store_metadata_file: '/etc/glance/glance-metadata-file.json'
glance::api::filesystem_store_file_perm: '0644'
- if:
- not: {equals: [{get_param: GlanceDiskFormats}, []]}
- glance::api::disk_formats: {get_param: GlanceDiskFormats}
service_config_settings:
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
rsyslog:
tripleo_logging_sources_glance_api:
- {get_param: GlanceApiLoggingSource}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: glance_api
puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::glance::api
- if:
- {get_param: GlanceNetappNfsEnabled}
- include tripleo::profile::base::glance::netapp
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerGlanceApiConfigImage}
kolla_config:
/var/lib/kolla/config_files/glance_api.json:
command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf --config-file /etc/glance/glance-image-import.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-iscsid/*"
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
permissions:
list_concat:
- - path: /var/lib/glance
owner: glance:glance
recurse: true
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: glance:glance
perm: '0600'
- repeat:
template:
path: /etc/ceph/<%keyring%>
owner: glance:glance
perm: '0600'
for_each:
<%keyring%>:
yaql:
expression: let(u => $.data.user) -> $.data.multistore.values().where($.get("CephClusterName")).select("{0}.client.{1}.keyring".format($.CephClusterName, $.get("CephClientUserName", $u)))
data:
user: {get_param: CephClientUserName}
multistore: {get_param: GlanceMultistoreConfig}
/var/lib/kolla/config_files/glance_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
/var/lib/kolla/config_files/glance_api_cron.json:
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/glance
owner: glance:glance
recurse: true
docker_config:
step_2:
get_attr: [GlanceLogging, docker_config, step_2]
step_3:
glance_api_db_sync:
image: &glance_api_image {get_param: ContainerGlanceApiImage}
net: host
privileged: false
detach: false
user: root
volumes: &glance_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [GlanceLogging, volumes]}
- {get_param: GlanceApiOptVolumes}
- - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/glance_api:/var/lib/kolla/config_files/src:ro
- list_join:
- ':'
- - {get_param: CephConfigPath}
- - '/var/lib/kolla/config_files/src-ceph'
- - 'ro'
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/glance:/var/lib/glance:slave
- if:
- cinder_backend_enabled
- - /dev:/dev
- /var/lib/iscsi:/var/lib/iscsi:z
- if:
- cinder_multipathd_enabled
- - /etc/multipath:/etc/multipath:z
- /etc/multipath.conf:/etc/multipath.conf:ro
environment:
KOLLA_BOOTSTRAP: true
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
command: "/usr/bin/bootstrap_host_exec glance_api su glance -s /bin/bash -c '/usr/local/bin/kolla_start'"
step_4:
glance_api:
start_order: 2
image: *glance_api_image
net: host
privileged: {if: [cinder_backend_enabled, true, false]}
restart: always
healthcheck:
test: /openstack/healthcheck
volumes: *glance_volumes
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
glance_api_tls_proxy:
if:
- {get_param: EnableInternalTLS}
- start_order: 3
image: *glance_api_image
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [GlanceLogging, volumes]}
-
- /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/glance_api:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
glance_api_cron:
start_order: 2
image: *glance_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: '/usr/share/openstack-tripleo-common/healthcheck/cron glance'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [GlanceLogging, volumes]}
-
- /var/lib/kolla/config_files/glance_api_cron.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/glance_api:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
list_concat:
- {get_attr: [GlanceLogging, host_prep_tasks]}
- - name: Mount NFS on host
vars:
nfs_backend_enabled: {get_param: GlanceNfsEnabled}
glance_netapp_nfs_enabled: {get_param: GlanceNetappNfsEnabled}
glance_nfs_share: {get_param: GlanceNfsShare}
netapp_share_location: {get_param: NetappShareLocation}
nfs_share: "{{ glance_nfs_share if (glance_nfs_share) else netapp_share_location }}"
nfs_options: {get_param: GlanceNfsOptions}
mount:
name: /var/lib/glance/images
state: mounted
fstype: nfs
src: "{{nfs_share}}"
opts: "{{nfs_options}}"
when: nfs_backend_enabled or glance_netapp_nfs_enabled
- name: Mount Node Staging Location
vars:
glance_node_staging_uri: {get_param: GlanceNodeStagingUri}
glance_staging_nfs_share: {get_param: GlanceStagingNfsShare}
glance_nfs_options: {get_param: GlanceStagingNfsOptions}
# Gleaning mount point by stripping "file://" prefix from staging uri
mount:
name: "{{glance_node_staging_uri[7:]}}"
state: mounted
fstype: nfs
src: "{{glance_staging_nfs_share}}"
opts: "{{glance_nfs_options}}"
when: glance_staging_nfs_share != ''
- name: ensure ceph configurations exist
file:
path: {get_param: CephConfigPath}
state: directory
- name: ensure /var/lib/glance exists
file:
path: /var/lib/glance
state: directory
setype: container_file_t
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop glance api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- glance_api
- glance_api_cron
tripleo_delegate_to: "{{ groups['glance_api'] | default([]) }}"
View Git Blame Copy Permalink