a9e7a6fa92
Use kolla_config to merge etcd's cert and key files into containers, and set the ownership so the corresponding service can read the files. Previously, etcd's cert and key files were directly bind mounted in the etcd and cinder containers that need the files. An ACL was added to ensure the corresponding services had read access to the files on the host, which are owned by root. The ACL was cumbersome, and required hardcoding the UID of each service. Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d (cherry picked from commit7bcdd2448b) (cherry picked from commit978c4e05de)
170 lines
5.7 KiB
YAML
170 lines
5.7 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Cinder Scheduler service
|
|
|
|
parameters:
|
|
ContainerCinderSchedulerImage:
|
|
description: image
|
|
type: string
|
|
ContainerCinderConfigImage:
|
|
description: The container image to use for the cinder config_volume
|
|
type: string
|
|
CinderSchedulerLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.cinder.scheduler
|
|
file: /var/log/containers/cinder/cinder-scheduler.log
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
MonitoringSubscriptionCinderScheduler:
|
|
default: 'overcloud-cinder-scheduler'
|
|
type: string
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MySQLClient:
|
|
type: ../database/mysql-client.yaml
|
|
|
|
CinderBase:
|
|
type: ./cinder-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
CinderCommon:
|
|
type: ./cinder-common-container-puppet.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Cinder Scheduler role.
|
|
value:
|
|
service_name: cinder_scheduler
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionCinderScheduler}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [CinderBase, role_data, config_settings]
|
|
- cinder::scheduler::scheduler_driver: cinder.scheduler.filter_scheduler.FilterScheduler
|
|
service_config_settings:
|
|
map_merge:
|
|
- get_attr: [CinderBase, role_data, service_config_settings]
|
|
- rsyslog:
|
|
tripleo_logging_sources_cinder_scheduler:
|
|
- {get_param: CinderSchedulerLoggingSource}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: cinder
|
|
puppet_tags: cinder_config,file,concat,file_line
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "include ::tripleo::profile::base::cinder::scheduler"
|
|
- - {get_attr: [CinderBase, role_data, step_config]}
|
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
|
config_image: {get_param: ContainerCinderConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/cinder_scheduler.json:
|
|
command: /usr/bin/cinder-scheduler --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/log/cinder
|
|
owner: cinder:cinder
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/etcd.crt
|
|
owner: cinder:cinder
|
|
- path: /etc/pki/tls/private/etcd.key
|
|
owner: cinder:cinder
|
|
docker_config:
|
|
step_2:
|
|
cinder_scheduler_init_logs:
|
|
image: &cinder_scheduler_image {get_param: ContainerCinderSchedulerImage}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/cinder:/var/log/cinder:z
|
|
command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder']
|
|
step_4:
|
|
cinder_scheduler:
|
|
image: *cinder_scheduler_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck: {get_attr: [ContainersCommon, healthcheck_rpc_port]}
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [CinderCommon, cinder_common_volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/cinder_scheduler.json:/var/lib/kolla/config_files/config.json:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
|
|
- name: enable virt_sandbox_use_netlink for healthcheck
|
|
seboolean:
|
|
name: virt_sandbox_use_netlink
|
|
persistent: yes
|
|
state: yes
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop cinder scheduler container
|
|
import_role:
|
|
name: tripleo-container-stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- cinder_scheduler
|
|
tripleo_delegate_to: "{{ groups['cinder_scheduler'] | default([]) }}"
|