tripleo-heat-templates/deployment/swift/swift-ringbuilder-container-puppet.yaml
Cédric Jeanneret c55cf61c99 Avoid "-a" cp option in order to avoid SELinux AVC
Using "cp -a" in a container might lead to SELinux failures, since this option
is a shortcut for "-dR --preserve=all". The "all" has the context, and we do
not allow SELinux relabelling within containers.

Splitting the "-a" to "-dR --preserve" will provide the same end results, but
without the relabelling, preventing audit.log to fill up during the deploy.

Closes-Bug: #1819459
Change-Id: Ic280ad8e95fcc32986987f5abaa524f171d7c13b
2019-03-14 08:48:24 +01:00

127 lines
4.6 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Swift Ringbuilder
parameters:
DockerSwiftConfigImage:
description: The container image to use for the swift config_volume
type: string
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
SwiftMinPartHours:
type: number
default: 1
description: The minimum time (in hours) before a partition in a ring can be moved following a rebalance.
SwiftPartPower:
default: 10
description: Partition Power to use when building Swift rings
type: number
SwiftRingBuild:
default: true
description: Whether to manage Swift rings or not
type: boolean
SwiftReplicas:
type: number
default: 3
description: How many replicas to use in the swift rings.
SwiftRawDisks:
default: {}
description: 'A hash of additional raw devices to use as Swift backend (eg. {sdb: {}})'
type: json
SwiftUseLocalDir:
default: true
description: 'Use a local directory for Swift storage services when building rings'
type: boolean
SwiftRingGetTempurl:
default: ''
description: A temporary Swift URL to download rings from.
type: string
SwiftRingPutTempurl:
default: ''
description: A temporary Swift URL to upload rings to.
type: string
conditions:
swift_use_local_dir:
and:
- equals:
- get_param: SwiftUseLocalDir
- true
- equals:
- get_param: SwiftRawDisks
- {}
outputs:
role_data:
description: Role data for Swift Ringbuilder configuration in containers.
value:
service_name: swift_ringbuilder
config_settings:
tripleo::profile::base::swift::ringbuilder:skip_consistency_check: true
tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
tripleo::profile::base::swift::ringbuilder::min_part_hours: {get_param: SwiftMinPartHours}
tripleo::profile::base::swift::ringbuilder::raw_disk_prefix: 'r1z1-'
tripleo::profile::base::swift::ringbuilder::raw_disks:
yaql:
expression: $.data.raw_disk_lists.flatten()
data:
raw_disk_lists:
- {if: [swift_use_local_dir, [':%PORT%/d1'], []]}
- repeat:
template: ':%PORT%/DEVICE'
for_each:
DEVICE: {get_param: SwiftRawDisks}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: 'swift_ringbuilder'
puppet_tags: exec,fetch_swift_ring_tarball,extract_swift_ring_tarball,ring_object_device,swift::ringbuilder::create,tripleo::profile::base::swift::add_devices,swift::ringbuilder::rebalance,create_swift_ring_tarball,upload_swift_ring_tarball
step_config: |
include ::tripleo::profile::base::swift::ringbuilder
config_image: &swift_ringbuilder_image {get_param: DockerSwiftConfigImage}
kolla_config: {}
docker_config:
step_3:
swift_copy_rings:
image: *swift_ringbuilder_image
net: none
user: root
detach: false
command:
# Use bash to run the cp command so that wildcards can be used
- '/bin/bash'
- '-c'
- 'cp -v -dR --preserve -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
volumes:
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw,z
- /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro