tripleo-heat-templates/deployment/glance/glance-api-container-puppet.yaml
Michele Baldessari 53465f7f29 Make sure glance_api_tls_proxy logs are persisted on the host
The logs for the glance_api_tls_proxy containers are not persisted on
the host and hence get lost at the restart of the container.  Said
container has httpd inside of it so we need to make sure that the httpd
logs are persisted on the host just like the other containers that use
httpd.

Tested this review and I correctly get the logs persisted on a
TLS-everywhere environment:
[root@controller-0 ~]# ls -l /var/log/containers/httpd/glance/
total 1040
-rw-r--r--. 1 root root   5864 Nov 28 10:07 error_log
-rw-r--r--. 1 root root 544043 Nov 28 11:17 glance-api-proxy_access_ssl.log
-rw-r--r--. 1 root root   4360 Nov 28 10:07 glance-api-proxy_error_ssl.log

NB: Slight conflict on deployment/glance/glance-api-logging-file-container.yaml

Change-Id: Id4f24e171867adc445eca55b3908360c8f3f6f30
Closes-Bug: #1854343
(cherry picked from commit f22dce4477)
(cherry picked from commit a764b832e2)
2019-11-29 13:53:23 +00:00

674 lines
26 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Glance service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
GlanceDebug:
default: ''
description: Set to True to enable debugging Glance service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
GlancePassword:
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
GlanceWorkers:
default: ''
description: |
Number of API worker processes for Glance. If left unset (empty string), the
default value will result in the configuration being left unset and a
system-dependent default value will be chosen (e.g.: number of
processors). Please note that this will create a large number of
processes on systems with a large number of CPUs resulting in excess
memory consumption. It is recommended that a suitable non-default value
be selected on such systems.
type: string
MonitoringSubscriptionGlanceApi:
default: 'overcloud-glance-api'
type: string
GlanceApiLoggingSource:
type: json
default:
tag: openstack.glance.api
path: /var/log/containers/glance/api.log
setype: svirt_sandbox_file_t
GlanceImageMemberQuota:
default: 128
description: |
Maximum number of image members per image.
Negative values evaluate to unlimited.
type: number
GlanceNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', mount NFS share for image storage.
type: boolean
GlanceCacheEnabled:
description: Enable Glance Image Cache
type: boolean
default: False
GlanceImageCacheDir:
description: Base directory that the Image Cache uses
type: string
default: '/var/lib/glance/image-cache'
GlanceImageCacheMaxSize:
description: >
The upper limit on cache size, in bytes, after which the cache-pruner
cleans up the image cache.
type: number
default: 10737418240
GlanceImageCacheStallTime:
description: >
The amount of time, in seconds, to let an image remain in the cache
without being accessed.
type: number
default: 86400
GlanceNfsShare:
default: ''
description: >
NFS share to mount for image storage (when GlanceNfsEnabled is true)
type: string
GlanceNetappNfsEnabled:
default: false
description: >
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
type: boolean
NetappShareLocation:
default: ''
description: >
Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
type: string
GlanceNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
description: >
NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string
GlanceRbdPoolName:
default: images
type: string
NovaEnableRbdBackend:
default: false
description: Whether to enable the Rbd backend for Nova ephemeral storage.
type: boolean
tags:
- role_specific
GlanceShowMultipleLocations:
default: false
description: |
Whether to show multiple image locations e.g for copy-on-write support on
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
type: boolean
GlanceImageImportPlugins:
default: []
description: >
List of enabled Image Import Plugins. Valid values in the list are
'image_conversion', 'inject_metadata', 'no_op'.
type: comma_delimited_list
GlanceImageConversionOutputFormat:
default: 'raw'
description: Desired output format for image conversion plugin.
type: string
GlanceInjectMetadataProperties:
default: ''
description: Metadata properties to be injected in image.
type: comma_delimited_list
GlanceIgnoreUserRoles:
default: 'admin'
description: List of user roles to be ignored for injecting image metadata properties.
type: comma_delimited_list
GlanceEnabledImportMethods:
default: 'web-download'
description: >
List of enabled Image Import Methods. Valid values in the list are
'glance-direct' and 'web-download'
type: comma_delimited_list
GlanceStagingNfsShare:
default: ''
description: >
NFS share to mount for image import staging
type: string
GlanceNodeStagingUri:
default: 'file:///var/lib/glance/staging'
description: >
URI that specifies the staging location to use when importing images
type: string
GlanceStagingNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
description: >
NFS mount options for NFS image import staging
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
GlanceApiPolicies:
description: |
A hash of policies to configure for Glance API.
e.g. { glance-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NotificationDriver:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
RpcPort:
default: 5672
description: The network port for messaging backend
type: number
RpcUserName:
default: guest
description: The username for messaging backend
type: string
RpcPassword:
description: The password for messaging backend
type: string
hidden: true
RpcUseSSL:
default: false
description: >
Messaging client subscriber parameter to specify
an SSL connection to the messaging host.
type: string
EnableInternalTLS:
type: boolean
default: false
GlanceNotifierStrategy:
description: Strategy to use for Glance notification queue
type: string
default: noop
GlanceLogFile:
description: The filepath of the file to use for logging messages from Glance.
type: string
default: ''
GlanceBackend:
default: swift
description: The short name of the Glance backend to use. Should be one
of swift, rbd, cinder, or file
type: string
constraints:
- allowed_values: ['swift', 'file', 'rbd', 'cinder']
CephClientUserName:
default: openstack
type: string
CephClusterName:
type: string
default: ceph
description: The Ceph cluster name.
constraints:
- allowed_pattern: "[a-zA-Z0-9]+"
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
GlanceApiOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
DockerGlanceApiImage:
description: image
type: string
DockerGlanceApiConfigImage:
description: The container image to use for the glance_api config_volume
type: string
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- RpcPort
- RpcUserName
- RpcPassword
- RpcUseSSL
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
cinder_backend_enabled: {equals: [{get_param: GlanceBackend}, cinder]}
rbd_backend_enabled: {equals: [{get_param: GlanceBackend}, rbd]}
enable_image_conversion:
and:
- equals: [{get_param: GlanceBackend}, rbd]
- equals: [{get_param: NovaEnableRbdBackend}, true]
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
glance_workers_unset: {equals : [{get_param: GlanceWorkers}, '']}
service_debug_unset: {equals : [{get_param: GlanceDebug}, '']}
glance_netapp_nfs_enabled: {equals : [{get_param: GlanceNetappNfsEnabled}, true]}
glance_cache_enabled: {equals : [{get_param: GlanceCacheEnabled}, true]}
glance_multiple_locations:
or:
- {equals : [{get_param: GlanceShowMultipleLocations}, true]}
- glance_netapp_nfs_enabled
- and:
# Keep this for compat, but ignore NovaEnableRbdBackend if it's a role param
- equals:
- get_param: GlanceBackend
- rbd
- equals:
- get_param: NovaEnableRbdBackend
- true
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
GlanceLogging:
type: OS::TripleO::Services::Logging::GlanceApi
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Glance API role.
value:
service_name: glance_api
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
- get_attr: [TLSProxyBase, role_data, config_settings]
- glance::api::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: glance
password: {get_param: GlancePassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /glance
query:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
glance::api::enable_v1_api: false
glance::api::enable_v2_api: true
glance::api::authtoken::password: {get_param: GlancePassword}
glance::api::enable_proxy_headers_parsing: true
glance::api::logging::debug:
if:
- service_debug_unset
- {get_param: Debug }
- {get_param: GlanceDebug }
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo::glance_api::firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
glance::api::authtoken::user_domain_name: 'Default'
glance::api::authtoken::project_domain_name: 'Default'
glance::api::pipeline:
if:
- glance_cache_enabled
- 'keystone+cachemanagement'
- 'keystone'
glance::api::show_image_direct_url: true
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
glance::api::os_region_name: {get_param: KeystoneRegion}
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
glance::api::image_import_plugins:
if:
- enable_image_conversion
- list_concat_unique:
- {get_param: GlanceImageImportPlugins}
- ['image_conversion']
- {get_param: GlanceImageImportPlugins}
glance::api::image_conversion_output_format: {get_param: GlanceImageConversionOutputFormat}
glance::api::inject_metadata_properties: {get_param: GlanceInjectMetadataProperties}
glance::api::ignore_user_roles: {get_param: GlanceIgnoreUserRoles}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::glance::api::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_fqdn:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
tripleo::profile::base::glance::api::tls_proxy_port:
get_param: [EndpointMap, GlanceInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLs
# proxy in front.
glance::api::bind_host:
if:
- use_tls_proxy
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
glance_notifier_strategy: {get_param: GlanceNotifierStrategy}
glance_log_file: {get_param: GlanceLogFile}
glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri] }
glance::backend::swift::swift_store_user: service:glance
glance::backend::swift::swift_store_key: {get_param: GlancePassword}
glance::backend::swift::swift_store_create_container_on_put: true
glance::backend::swift::swift_store_auth_version: 3
glance::backend::rbd::rbd_store_ceph_conf:
list_join:
- ''
- - '/etc/ceph/'
- {get_param: CephClusterName}
- '.conf'
glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName}
glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName}
glance_backend: {get_param: GlanceBackend}
glance::notify::rabbitmq::notification_driver: {get_param: NotificationDriver}
-
if:
- glance_workers_unset
- {}
- glance::api::workers: {get_param: GlanceWorkers}
-
if:
- cinder_backend_enabled
- glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
glance::backend::cinder::cinder_store_project_name: 'service'
glance::backend::cinder::cinder_store_user_name: 'glance'
glance::backend::cinder::cinder_store_password: {get_param: GlancePassword}
- {}
-
if:
- glance_cache_enabled
- glance::api::image_cache_dir: {get_param: GlanceImageCacheDir}
glance::api::image_cache_max_size: {get_param: GlanceImageCacheMaxSize}
glance::api::image_cache_stall_time: {get_param: GlanceImageCacheStallTime}
- {}
-
if:
- glance_netapp_nfs_enabled
- tripleo::profile::base::glance::netapp::netapp_share: {get_param: NetappShareLocation}
glance::api::filesystem_store_metadata_file: '/etc/glance/glance-metadata-file.json'
glance::api::filesystem_store_file_perm: '0644'
- {}
- glance::api::sync_db: false
service_config_settings:
keystone:
glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]}
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
glance::keystone::auth::region: {get_param: KeystoneRegion}
glance::keystone::auth::tenant: 'service'
mysql:
glance::db::mysql::password: {get_param: GlancePassword}
glance::db::mysql::user: glance
glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
glance::db::mysql::dbname: glance
glance::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
fluentd:
tripleo_fluentd_groups_glance_api:
- glance
tripleo_fluentd_sources_glance_api:
- {get_param: GlanceApiLoggingSource}
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: glance_api
puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config
step_config:
list_join:
- "\n"
- - include ::tripleo::profile::base::glance::api
- if:
- glance_netapp_nfs_enabled
- include ::tripleo::profile::base::glance::netapp
- ''
- if:
- glance_cache_enabled
- |
include ::glance::cache::cleaner
include ::glance::cache::pruner
- ''
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: DockerGlanceApiConfigImage}
kolla_config:
/var/lib/kolla/config_files/glance_api.json:
command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf --config-file /etc/glance/glance-image-import.conf
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions:
- path: /var/lib/glance
owner: glance:glance
recurse: true
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: glance:glance
perm: '0600'
/var/lib/kolla/config_files/glance_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
docker_config:
step_2:
get_attr: [GlanceLogging, docker_config, step_2]
step_3:
glance_api_db_sync:
image: &glance_api_image {get_param: DockerGlanceApiImage}
net: host
privileged: false
detach: false
user: root
volumes: &glance_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [GlanceLogging, volumes]}
- {get_param: GlanceApiOptVolumes}
-
- /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
- /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
- /var/lib/glance:/var/lib/glance:slave
-
if:
- cinder_backend_enabled
- - /dev:/dev
- /etc/iscsi:/etc/iscsi
- /var/lib/iscsi:/var/lib/iscsi:z
- []
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
command: "/usr/bin/bootstrap_host_exec glance_api su glance -s /bin/bash -c '/usr/local/bin/kolla_start'"
step_4:
map_merge:
- glance_api:
start_order: 2
image: *glance_api_image
net: host
privileged: {if: [cinder_backend_enabled, true, false]}
restart: always
healthcheck:
test: /openstack/healthcheck
volumes: *glance_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- if:
- internal_tls_enabled
- glance_api_tls_proxy:
start_order: 2
image: *glance_api_image
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [GlanceLogging, volumes]}
-
- /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {}
host_prep_tasks:
list_concat:
- {get_attr: [GlanceLogging, host_prep_tasks]}
- - name: Mount NFS on host
vars:
nfs_backend_enabled: {get_param: GlanceNfsEnabled}
glance_netapp_nfs_enabled: {get_param: GlanceNetappNfsEnabled}
glance_nfs_share: {get_param: GlanceNfsShare}
netapp_share_location: {get_param: NetappShareLocation}
nfs_share: "{{ glance_nfs_share if (glance_nfs_share) else netapp_share_location }}"
nfs_options: {get_param: GlanceNfsOptions}
mount: name=/var/lib/glance/images src="{{nfs_share}}" fstype=nfs opts="{{nfs_options}}" state=mounted
when: nfs_backend_enabled or glance_netapp_nfs_enabled
- name: Mount Node Staging Location
vars:
glance_node_staging_uri: {get_param: GlanceNodeStagingUri}
glance_staging_nfs_share: {get_param: GlanceStagingNfsShare}
glance_nfs_options: {get_param: GlanceStagingNfsOptions}
# Gleaning mount point by stripping "file://" prefix from staging uri
mount: name="{{glance_node_staging_uri[7:]}}" src="{{glance_staging_nfs_share}}" fstype=nfs opts="{{glance_nfs_options}}" state=mounted
when: glance_staging_nfs_share != ''
- name: ensure ceph configurations exist
file:
path: /etc/ceph
state: directory
- name: ensure /var/lib/glance exists
file:
path: /var/lib/glance
state: directory
setype: svirt_sandbox_file_t
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
with_items:
list_concat:
- - glance_api
- - if:
- internal_tls_enabled
- - glance_api_tls_proxy
- null
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop glance api container
import_role:
name: tripleo-container-stop
vars:
tripleo_containers_to_stop:
- glance_api
tripleo_delegate_to: "{{ groups['glance_api'] | default([]) }}"
fast_forward_upgrade_tasks:
- when:
- step|int == 0
- release == 'ocata'
block:
- name: Check if glance_api is deployed
command: systemctl is-enabled --quiet openstack-glance-api
ignore_errors: True
register: glance_api_enabled_result
- name: Set fact glance_api_enabled
set_fact:
glance_api_enabled: "{{ glance_api_enabled_result.rc == 0 }}"
- name: Stop openstack-glance-api
service: name=openstack-glance-api state=stopped enabled=no
when:
- step|int == 1
- release == 'ocata'
- glance_api_enabled|bool
- name: glance package update
package: name=openstack-glance state=latest
when:
- step|int == 6
- is_bootstrap_node|bool
- name: glance db sync
command: glance-manage db_sync
when:
- step|int == 8
- is_bootstrap_node|bool