2d21dcce74
Currently, we are setting file ACLs on /var/lib/neutron as part of upgrade tasks if there is a neutron user in the system. Since moving to containerized deployment, we don't have neutron user on the system anymore. This code was added to resolve issues arising with existing neutron resources when moving from system services to containerized services. This patch is to remove the stale upgrade tasks to remove file ACLs. Closes-Bug: #1943034 Signed-off-by: Purandhar Sairam Mannidi <pmannidi@redhat.com> Change-Id: I19f457a99dedfd781bd56987e3fea6626737500d (cherry picked from commita522941695
) (cherry picked from commitb9fe05d56c
)
213 lines
7.8 KiB
YAML
213 lines
7.8 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Neutron Metadata agent
|
|
|
|
parameters:
|
|
ContainerNeutronMetadataImage:
|
|
description: image
|
|
type: string
|
|
ContainerNeutronConfigImage:
|
|
description: The container image to use for the neutron config_volume
|
|
type: string
|
|
NeutronMetadataAgentLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.neutron.agent.metadata
|
|
file: /var/log/containers/neutron/metadata-agent.log
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
NeutronMetadataProxySharedSecret:
|
|
description: Shared secret to prevent spoofing
|
|
type: string
|
|
hidden: true
|
|
NeutronWorkers:
|
|
default: ''
|
|
description: |
|
|
Sets the number of worker processes for the neutron metadata agent. The
|
|
default value results in the configuration being left unset and a
|
|
system-dependent default will be chosen (usually the number of
|
|
processors). Please note that this can result in a large number of
|
|
processes and memory consumption on systems with a large core count. On
|
|
such systems it is recommended that a non-default value be selected that
|
|
matches the load requirements.
|
|
type: string
|
|
NeutronPassword:
|
|
description: The password for the neutron service and db account, used by neutron agents.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionNeutronMetadata:
|
|
default: 'overcloud-neutron-metadata'
|
|
type: string
|
|
Debug:
|
|
type: boolean
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
NeutronMetadataAgentDebug:
|
|
default: ''
|
|
description: Set to True to enable debugging for Neutron Metadata agent.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
|
|
service_debug_unset: {equals: [{get_param: NeutronMetadataAgentDebug}, '']}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
NeutronBase:
|
|
type: ./neutron-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
NeutronLogging:
|
|
type: OS::TripleO::Services::Logging::NeutronCommon
|
|
properties:
|
|
NeutronServiceName: metadata-agent
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for Neutron Metadata agent
|
|
value:
|
|
service_name: neutron_metadata
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronMetadata}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, config_settings]
|
|
- get_attr: [NeutronLogging, config_settings]
|
|
- neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
|
|
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
|
neutron::agents::metadata::auth_tenant: 'service'
|
|
neutron::agents::metadata::debug:
|
|
if:
|
|
- service_debug_unset
|
|
- {get_param: Debug}
|
|
- {get_param: NeutronMetadataAgentDebug}
|
|
neutron::agents::metadata::metadata_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('cloud_name_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
|
|
neutron::agents::metadata::metadata_protocol:
|
|
if:
|
|
- internal_tls_enabled
|
|
- 'https'
|
|
- 'http'
|
|
-
|
|
if:
|
|
- neutron_workers_unset
|
|
- {}
|
|
- neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
|
|
-
|
|
if:
|
|
- is_neutron_shared_metadata_notempty
|
|
- neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
|
- {}
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [NeutronBase, role_data, service_config_settings]
|
|
- rsyslog:
|
|
tripleo_logging_sources_neutron_metadata:
|
|
- {get_param: NeutronMetadataAgentLoggingSource}
|
|
puppet_config:
|
|
puppet_tags: neutron_config,neutron_metadata_agent_config
|
|
config_volume: neutron
|
|
step_config: |
|
|
include tripleo::profile::base::neutron::metadata
|
|
config_image: {get_param: ContainerNeutronConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/neutron_metadata_agent.json:
|
|
command:
|
|
list_join:
|
|
- ' '
|
|
- - /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent
|
|
- get_attr: [NeutronLogging, cmd_extra_args]
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
- path: /var/lib/neutron
|
|
owner: neutron:neutron
|
|
recurse: true
|
|
docker_config:
|
|
step_4:
|
|
neutron_metadata_agent:
|
|
start_order: 10
|
|
image: {get_param: ContainerNeutronMetadataImage}
|
|
net: host
|
|
pid: host
|
|
privileged: true
|
|
restart: always
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [NeutronLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
- /var/lib/neutron:/var/lib/neutron:shared,z
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [NeutronBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
|
- - name: create /var/lib/neutron
|
|
file:
|
|
path: /var/lib/neutron
|
|
state: directory
|
|
setype: container_file_t
|
|
- name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
upgrade_tasks: []
|