openstack/tripleo-heat-templates
Code Issues Proposed changes
643c3d25d9
tripleo-heat-templates/deployment/cinder/cinder-api-container-puppet.yaml
Takashi Kajinami 89fde273ea Add support for keystone_authtoken/memcache_use_advanced_pool 
This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

(To Victoria)
Conflicts:
	deployment/aodh/aodh-api-container-puppet.yaml
	deployment/glance/glance-api-container-puppet.yaml
	deployment/gnocchi/gnocchi-api-container-puppet.yaml
	deployment/manila/manila-api-container-puppet.yaml
	deployment/nova/nova-api-container-puppet.yaml

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
(cherry picked from commit 09bcacd25a)
(cherry picked from commit 9a89b9add6)
2021-06-25 07:44:11 +00:00

458 lines
17 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
OpenStack containerized Cinder API service
parameters:
ContainerCinderApiImage:
description: image
type: string
ContainerCinderConfigImage:
description: The container image to use for the cinder config_volume
type: string
CinderApiLoggingSource:
type: json
default:
tag: openstack.cinder.api
file: /var/log/containers/cinder/cinder-api.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
CinderDefaultVolumeType:
default: tripleo
description: The name of Cinder's default volume type.
type: string
CinderEnableDBPurge:
default: true
description: |
Whether to create cron job for purging soft deleted rows in Cinder database.
type: boolean
CinderPassword:
description: The password for the cinder service and db account.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionCinderApi:
default: 'overcloud-cinder-api'
type: string
CinderWorkers:
type: string
description: Set the number of workers for cinder::wsgi::apache
default: '%{::os_workers}'
CinderApiPolicies:
description: |
A hash of policies to configure for Cinder API.
e.g. { cinder-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
CinderApiWsgiTimeout:
default: 60
description: The number of seconds until a Cinder API WSGI connection times out.
type: number
NotificationDriver:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
RootStackName:
description: The name of the stack/plan.
type: string
MemcacheUseAdvancedPool:
type: boolean
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
cinder_workers_zero: {equals : [{get_param: CinderWorkers}, 0]}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
CinderBase:
type: ./cinder-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CinderCommon:
type: ./cinder-common-container-puppet.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
keystone_resources:
cinder:
users:
cinder:
password: {get_param: CinderPassword}
roles:
- admin
- service
cinderv2:
endpoints:
public: {get_param: [EndpointMap, CinderV2Public, uri]}
internal: {get_param: [EndpointMap, CinderV2Internal, uri]}
admin: {get_param: [EndpointMap, CinderV2Admin, uri]}
users:
cinderv2:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev2'
cinderv3:
endpoints:
public: {get_param: [EndpointMap, CinderV3Public, uri]}
internal: {get_param: [EndpointMap, CinderV3Internal, uri]}
admin: {get_param: [EndpointMap, CinderV3Admin, uri]}
users:
cinderv3:
password: {get_param: CinderPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'volumev3'
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
- get_attr: [CinderBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- keystone_resources_managed: false
- cinder::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
cinder::keystone::authtoken::password: {get_param: CinderPassword}
cinder::keystone::authtoken::project_name: 'service'
cinder::keystone::authtoken::user_domain_name: 'Default'
cinder::keystone::authtoken::project_domain_name: 'Default'
cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
cinder::keystone::authtoken::interface: 'internal'
cinder::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
cinder::policy::policies: {get_param: CinderApiPolicies}
cinder::notification_driver: {get_param: NotificationDriver}
cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}
cinder::api::enable_proxy_headers_parsing: true
cinder::api::nova_catalog_info: 'compute:nova:internalURL'
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
cinder::api::bind_host:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
cinder::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::vhost_custom_fragment:
str_replace:
template:
"Timeout TIMEOUT"
params:
TIMEOUT: {get_param: CinderApiWsgiTimeout}
-
if:
- cinder_workers_zero
- {}
- cinder::wsgi::apache::workers: {get_param: CinderWorkers}
service_config_settings:
map_merge:
- get_attr: [CinderBase, role_data, service_config_settings]
- rsyslog:
tripleo_logging_sources_cinder_api:
- {get_param: CinderApiLoggingSource}
mysql:
cinder::db::mysql::password: {get_param: CinderPassword}
cinder::db::mysql::user: cinder
cinder::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
cinder::db::mysql::dbname: cinder
cinder::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: cinder
puppet_tags: cinder_config,cinder_type,file,concat,file_line
step_config:
list_join:
- "\n"
- - "include tripleo::profile::base::cinder::api"
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_param: ContainerCinderConfigImage}
kolla_config:
/var/lib/kolla/config_files/cinder_api.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
docker_config:
step_2:
cinder_api_init_logs:
image: &cinder_api_image {get_param: ContainerCinderApiImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
step_3:
cinder_api_db_sync:
image: *cinder_api_image
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/cinder/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro
- /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
command:
- '/usr/bin/bootstrap_host_exec'
- 'cinder_api'
- "su cinder -s /bin/bash -c 'cinder-manage db sync --bump-versions'"
environment:
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
cinder_api:
image: *cinder_api_image
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'cinder', we need it
# to be root to run httpd
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [CinderCommon, cinder_common_volumes]}
-
- /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
cinder_api_cron:
image: *cinder_api_image
net: host
user: root
privileged: false
restart: always
healthcheck:
test: '/usr/share/openstack-tripleo-common/healthcheck/cron cinder'
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/cinder:/var/lib/kolla/config_files/src:ro
- /var/log/containers/cinder:/var/log/cinder:z
- /var/log/containers/httpd/cinder-api:/var/log/httpd:z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
container_puppet_tasks:
# Create the default volume type after the cinder-api service is
# running. The puppet code will ensure this is only done once, on
# the bootstrap node.
step_4:
config_volume: 'cinder_init_tasks'
puppet_tags: cinder_config,cinder_type,file,concat,file_line
step_config: 'include tripleo::profile::base::cinder::api'
config_image: *cinder_api_image
volumes:
- /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/cinder-api, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when: step|int == 1
block: &cinder_online_db_migration
- name: Online data migration for Cinder
command: "{{ container_cli }} exec cinder_api cinder-manage db online_data_migrations"
delegate_to: "{{ groups['cinder_api'][0] }}"
become: true
tags:
- online_upgrade
- online_upgrade_cinder
- when: step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop cinder api container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- cinder_api
- cinder_api_cron
tripleo_delegate_to: "{{ groups['cinder_api'] | default([]) }}"
external_update_tasks:
- when: step|int == 1
block: *cinder_online_db_migration
external_deploy_tasks:
- name: Clean up legacy Cinder keystone catalog entries
become: true
os_keystone_service:
cloud: {get_param: RootStackName}
name: cinderv3
service_type: volume
state: absent
when:
- step|int == 4
- name: Manage Cinder Volume Type
become: true
vars:
default_volume_type: {get_param: CinderDefaultVolumeType}
environment:
OS_CLOUD: {get_param: RootStackName}
when:
- step|int == 5
- not ansible_check_mode|bool
shell: |
if ! openstack volume type show "{{ default_volume_type }}"; then
openstack volume type create --public "{{ default_volume_type }}"
fi
args:
executable: /bin/bash
changed_when: false
View Git Blame Copy Permalink