c71b72b296
Until now, /var/tmp label was globally changed to another value than the
default, moving from tmp_t to container_file_t due to the ":z" flag in
the horizon container mount.
This patch creates a subdirectory in /var/tmp, and mounts this location
directly in horizon's /var/tmp - this allows to NOT change anything in
horizon, while preventing potential leaks from other apps using this
location. It also prevents issues with SELinux denials on that location.
The special 1777 mode allows to ensure we get the right "tmp" mode on
the directory, meaning: drwxrwxrwt.
This patch also ensures we reset the label on /var/tmp during update and
upgrade.
Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218
Resolves: rhbz#1947532
Closes-Bug: #1925316
(cherry picked from commit bafd6aba09
)
429 lines
16 KiB
YAML
429 lines
16 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
ContainerHorizonImage:
|
|
description: image
|
|
type: string
|
|
ContainerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HorizonDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Horizon service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
HorizonAllowedHosts:
|
|
default: '*'
|
|
description: A list of IP/Hostname for the server Horizon is running on.
|
|
Used for header checks.
|
|
type: comma_delimited_list
|
|
HorizonPasswordValidator:
|
|
description: Regex for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonPasswordValidatorHelp:
|
|
description: Help text for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonSecret:
|
|
description: Secret key for Django
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
HorizonSecureCookies:
|
|
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
|
|
type: boolean
|
|
default: false
|
|
HorizonSessionTimeout:
|
|
description: Set session timeout for horizon in seconds
|
|
type: number
|
|
default: 1800
|
|
MemcachedIPv6:
|
|
default: false
|
|
description: Enable IPv6 features in Memcached.
|
|
type: boolean
|
|
MonitoringSubscriptionHorizon:
|
|
default: 'overcloud-horizon'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
HorizonVhostExtraParams:
|
|
default:
|
|
add_listen: true
|
|
priority: 10
|
|
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
|
options: ['FollowSymLinks','MultiViews']
|
|
description: Extra parameters for Horizon vhost configuration
|
|
type: json
|
|
HorizonCustomizationModule:
|
|
default: ''
|
|
description: Horizon has a global overrides mechanism available to perform customizations
|
|
type: string
|
|
HorizonHelpURL:
|
|
default: 'http://docs.openstack.org'
|
|
description: On top of dashboard there is a Help button. This button could be used
|
|
to re-direct user to vendor documentation or dedicated help portal.
|
|
type: string
|
|
TimeZone:
|
|
default: 'UTC'
|
|
description: The timezone to be set on the overcloud.
|
|
type: string
|
|
WebSSOEnable:
|
|
default: false
|
|
type: boolean
|
|
description: Enable support for Web Single Sign-On
|
|
WebSSOInitialChoice:
|
|
default: 'OIDC'
|
|
type: string
|
|
description: The initial authentication choice to select by default
|
|
WebSSOChoices:
|
|
default:
|
|
- ['OIDC', 'OpenID Connect']
|
|
type: json
|
|
description: Specifies the list of SSO authentication choices to present.
|
|
Each item is a list of an SSO choice identifier and a display
|
|
message.
|
|
WebSSOIDPMapping:
|
|
default:
|
|
'OIDC': ['myidp', 'openid']
|
|
type: json
|
|
description: Specifies a mapping from SSO authentication choice to identity
|
|
provider and protocol. The identity provider and protocol names
|
|
must match the resources defined in keystone.
|
|
HorizonDomainChoices:
|
|
default: []
|
|
type: json
|
|
description: Specifies available domains to choose from. We expect an array
|
|
of hashes, and the hashes should have two items each (name, display)
|
|
containing Keystone domain name and a human-readable description of
|
|
the domain respectively.
|
|
HorizonLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.horizon
|
|
file: /var/log/containers/horizon/horizon.log
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- MemcachedIPv6
|
|
|
|
conditions:
|
|
debug_unset: {equals : [{get_param: Debug}, '']}
|
|
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
|
|
is_ipv6:
|
|
equals:
|
|
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
|
|
- 6
|
|
horizon_logger_debug:
|
|
or:
|
|
- yaql:
|
|
expression: $.data.horizon_debug.matches("true|True|TRUE")
|
|
data:
|
|
horizon_debug:
|
|
get_param: HorizonDebug
|
|
- get_param: Debug
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: horizon
|
|
firewall_rules:
|
|
'126 horizon':
|
|
dport:
|
|
- 80
|
|
- 443
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
|
config_settings:
|
|
map_merge:
|
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
horizon::enable_secure_proxy_ssl_header: true
|
|
horizon::disable_password_reveal: true
|
|
horizon::enforce_password_check: true
|
|
horizon::disallow_iframe_embed: true
|
|
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
|
|
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
|
|
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
|
|
horizon::bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
|
|
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
|
|
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
|
|
horizon::secret_key:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: HorizonSecret}
|
|
- {get_param: [DefaultPasswords, horizon_secret]}
|
|
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
|
|
horizon::session_timeout: {get_param: HorizonSessionTimeout}
|
|
memcached_ipv6: {if: [is_ipv6, true, false]}
|
|
horizon::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
|
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
|
horizon::timezone: {get_param: TimeZone}
|
|
horizon::file_upload_temp_dir: '/var/tmp'
|
|
horizon::help_url: {get_param: HorizonHelpURL}
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
|
horizon::ssl_verify_client: require
|
|
- {}
|
|
-
|
|
if:
|
|
- websso_enabled
|
|
-
|
|
horizon::websso_enabled:
|
|
get_param: WebSSOEnable
|
|
horizon::websso_initial_choice:
|
|
get_param: WebSSOInitialChoice
|
|
horizon::websso_choices:
|
|
get_param: WebSSOChoices
|
|
horizon::websso_idp_mapping:
|
|
get_param: WebSSOIDPMapping
|
|
- {}
|
|
-
|
|
if:
|
|
- debug_unset
|
|
- horizon::django_debug: { get_param: HorizonDebug }
|
|
- horizon::django_debug: { get_param: Debug }
|
|
- if:
|
|
- horizon_logger_debug
|
|
- horizon::log_level: 'DEBUG'
|
|
- {}
|
|
- if:
|
|
- horizon_domain_choices_set
|
|
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
|
|
- {}
|
|
ansible_group_vars:
|
|
keystone_enable_member: true
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_horizon:
|
|
yaql:
|
|
expression: $.data.sources.flatten()
|
|
data:
|
|
sources:
|
|
- {get_param: HorizonLoggingSource}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: |
|
|
include tripleo::profile::base::horizon
|
|
config_image: {get_param: ContainerHorizonConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
# TODO(emilien) remove optional flag once we get a promotion
|
|
# https://launchpad.net/bugs/1884115
|
|
optional: true
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_param: ContainerHorizonImage}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/tmp/horizon:/var/tmp/:z
|
|
- /var/www/:/var/www/:ro
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# Installed plugins:
|
|
ENABLE_CLOUDKITTY: 'no'
|
|
ENABLE_IRONIC: 'yes'
|
|
ENABLE_MAGNUM: 'no'
|
|
ENABLE_MANILA: 'yes'
|
|
ENABLE_HEAT: 'yes'
|
|
ENABLE_MURANO: 'no'
|
|
ENABLE_MISTRAL: 'no'
|
|
ENABLE_OCTAVIA: 'yes'
|
|
ENABLE_SAHARA: 'yes'
|
|
ENABLE_TROVE: 'no'
|
|
# Not installed:
|
|
ENABLE_FREEZER: 'no'
|
|
ENABLE_FWAAS: 'no'
|
|
ENABLE_KARBOR: 'no'
|
|
ENABLE_DESIGNATE: 'no'
|
|
ENABLE_SEARCHLIGHT: 'no'
|
|
ENABLE_SENLIN: 'no'
|
|
ENABLE_SOLUM: 'no'
|
|
ENABLE_TACKER: 'no'
|
|
ENABLE_WATCHER: 'no'
|
|
ENABLE_ZAQAR: 'no'
|
|
ENABLE_ZUN: 'no'
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/www, 'setype': container_file_t }
|
|
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
|
|
- name: ensure /var/tmp/horizon exists on boot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
|
|
content: |
|
|
d /var/tmp/horizon 1777 root root - -
|
|
upgrade_tasks:
|
|
- name: Anchor for upgrade and update tasks
|
|
when: step|int == 0
|
|
block: &tmp_reset_label
|
|
- name: Reset selinux label on /var/tmp
|
|
file:
|
|
path: /var/tmp
|
|
state: directory
|
|
setype: tmp_t
|
|
mode: 1777
|
|
update_tasks:
|
|
- name: Anchor for upgrade and update tasks
|
|
when: step|int == 0
|
|
block: *tmp_reset_label
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop horizon container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- horizon
|
|
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"
|