tripleo-heat-templates/deployment/heat/heat-engine-container-puppet.yaml
Kevin Carter 7e8d88afa5
Allow deployments to run when selinux is disabled
This change will allow the generated playbooks to run when selinux is
disabled. Presently the seboolean module will fail when a systems has
selinux disabled. While selinux could be set permissive to avoid an
error, the disabled setting is a valid configuration and should be
respected.

> seboolean will now only run when selinux is enabled.

Change-Id: Ifd31adcf27902a8a77de9c68482306ec9da6d250
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2022-02-10 09:05:20 -06:00

327 lines
12 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Heat Engine service
parameters:
ContainerHeatEngineImage:
description: image
type: string
tags:
- role_specific
ContainerHeatConfigImage:
description: The container image to use for the heat config_volume
type: string
tags:
- role_specific
HeatEngineLoggingSource:
type: json
default:
tag: openstack.heat.engine
file: /var/log/containers/heat/heat-engine.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
HeatEngineOptVolumes:
default: []
description: list of optional volumes to be mounted
type: comma_delimited_list
HeatEngineOptEnvVars:
default: {}
description: hash of optional environment variables
type: json
HeatEnableDBPurge:
type: boolean
default: true
description: |
Whether to create cron job for purging soft deleted rows in the Heat database.
EnableSQLAlchemyCollectd:
type: boolean
description: >
Set to true to enable the SQLAlchemy-collectd server plugin
default: false
HeatWorkers:
default: 0
description: Number of workers for Heat service.
type: number
HeatMaxNestedStackDepth:
default: 6
description: Maximum number of nested stack depth.
type: number
HeatReauthenticationAuthMethod:
description: Allow reauthentication on token expiry, such that long-running tasks
may complete. Note this defeats the expiry of any provided user tokens.
type: string
default: ''
constraints:
- allowed_values: [ '', 'trusts' ]
HeatPassword:
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
HeatStackDomainAdminPassword:
description: Password for heat_stack_domain_admin user.
type: string
hidden: true
HeatAuthEncryptionKey:
description: Auth encryption key for heat-engine
type: string
hidden: true
default: ''
MonitoringSubscriptionHeatEngine:
default: 'overcloud-heat-engine'
type: string
HeatConvergenceEngine:
type: boolean
default: true
description: Enables the heat engine with the convergence architecture.
HeatMaxResourcesPerStack:
type: number
default: 1000
description: Maximum resources allowed per top-level stack. -1 stands for unlimited.
HeatEnginePluginDirs:
type: comma_delimited_list
default: []
description: An array of directories to search for plug-ins.
HeatConfigureDelegatedRoles:
type: boolean
default: false
description: Create delegated roles
ClientRetryLimit:
type: number
default: 2
description: Client retries for transient errors.
conditions:
heat_workers_set:
not: {equals : [{get_param: HeatWorkers}, 0]}
resources:
ContainersCommon:
type: ../containers-common.yaml
MySQLClient:
type: ../database/mysql-client.yaml
HeatBase:
type: ./heat-base-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
HeatEngineLogging:
type: OS::TripleO::Services::Logging::HeatEngine
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerHeatEngineImage: ContainerHeatEngineImage
ContainerHeatConfigImage: ContainerHeatConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerHeatEngineImage: {get_param: ContainerHeatEngineImage}
ContainerHeatConfigImage: {get_param: ContainerHeatConfigImage}
outputs:
role_data:
description: Role data for the Heat Engine role.
value:
service_name: heat_engine
monitoring_subscription: {get_param: MonitoringSubscriptionHeatEngine}
config_settings:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- apache::default_vhost: false
heat::engine::configure_delegated_roles: {get_param: HeatConfigureDelegatedRoles}
heat::engine::trusts_delegated_roles: []
heat::engine::max_nested_stack_depth: {get_param: HeatMaxNestedStackDepth}
heat::engine::max_resources_per_stack: {get_param: HeatMaxResourcesPerStack}
heat::engine::reauthentication_auth_method: {get_param: HeatReauthenticationAuthMethod}
heat::engine::heat_metadata_server_url:
make_url:
scheme: {get_param: [EndpointMap, HeatCfnPublic, protocol]}
host: {get_param: [EndpointMap, HeatCfnPublic, host]}
port: {get_param: [EndpointMap, HeatCfnPublic, port]}
heat::engine::heat_waitcondition_server_url:
make_url:
scheme: {get_param: [EndpointMap, HeatCfnPublic, protocol]}
host: {get_param: [EndpointMap, HeatCfnPublic, host]}
port: {get_param: [EndpointMap, HeatCfnPublic, port]}
path: /v1/waitcondition
heat::engine::convergence_engine: {get_param: HeatConvergenceEngine}
heat::engine::client_retry_limit: {get_param: ClientRetryLimit}
tripleo::profile::base::heat::manage_db_purge: {get_param: HeatEnableDBPurge}
heat::db::database_connection:
make_url:
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
username: heat
password: {get_param: HeatPassword}
host: {get_param: [EndpointMap, MysqlInternal, host]}
path: /heat
query:
if:
- {get_param: EnableSQLAlchemyCollectd}
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
plugin: collectd
collectd_program_name: heat
collectd_host: localhost
- read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
heat::keystone_ec2_uri:
list_join:
- ''
- - {get_param: [EndpointMap, KeystoneV3Internal, uri]}
- '/ec2tokens'
heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword}
heat::engine::auth_encryption_key: {get_param: HeatAuthEncryptionKey}
heat::engine::plugin_dirs: {get_param: HeatEnginePluginDirs}
- if:
- heat_workers_set
- heat::engine::num_engine_workers: {get_param: HeatWorkers}
service_config_settings:
rsyslog:
tripleo_logging_sources_heat_engine:
- {get_param: HeatEngineLoggingSource}
mysql:
heat::db::mysql::password: {get_param: HeatPassword}
heat::db::mysql::user: heat
heat::db::mysql::host: '%'
heat::db::mysql::dbname: heat
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat
puppet_tags: heat_config,file,concat,file_line
step_config:
list_join:
- "\n"
- - include tripleo::profile::base::heat::engine
- {get_attr: [MySQLClient, role_data, step_config]}
config_image: {get_attr: [RoleParametersValue, value, ContainerHeatConfigImage]}
kolla_config:
/var/lib/kolla/config_files/heat_engine.json:
command:
list_join:
- ' '
- - /usr/bin/heat-engine --config-file /etc/heat/heat.conf
- get_attr: [HeatEngineLogging, cmd_extra_args]
config_files: &heat_engine_config_files
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions: &heat_engine_permissions
- path: /var/log/heat
owner: heat:heat
recurse: true
/var/lib/kolla/config_files/heat_engine_db_sync.json:
command: "/usr/bin/bootstrap_host_exec heat_engine su heat -s /bin/bash -c 'heat-manage db_sync'"
config_files: *heat_engine_config_files
permissions: *heat_engine_permissions
docker_config:
# db sync runs before permissions set by kolla_config
step_2:
get_attr: [HeatEngineLogging, docker_config, step_2]
step_3:
heat_engine_db_sync:
image: &heat_engine_image {get_attr: [RoleParametersValue, value, ContainerHeatEngineImage]}
net: host
privileged: false
detach: false
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HeatEngineLogging, volumes]}
- {get_param: HeatEngineOptVolumes}
-
- /var/lib/kolla/config_files/heat_engine_db_sync.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/heat:/var/lib/kolla/config_files/src:ro
environment:
map_merge:
- {get_param: HeatEngineOptEnvVars}
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
step_4:
heat_engine:
image: *heat_engine_image
net: host
privileged: false
stop_grace_period: 60
restart: always
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HeatEngineLogging, volumes]}
- {get_param: HeatEngineOptVolumes}
-
- /var/lib/kolla/config_files/heat_engine.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/heat:/var/lib/kolla/config_files/src:ro
environment:
map_merge:
- {get_param: HeatEngineOptEnvVars}
- KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
list_concat:
- {get_attr: [HeatEngineLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: true
state: true
when:
- ansible_facts.selinux is defined
- ansible_facts.selinux.status == "enabled"
upgrade_tasks: []
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop heat engine container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- heat_engine
tripleo_delegate_to: "{{ groups['heat_engine'] | default([]) }}"