d1bf6c6f21
There is no need to bind mount /etc/ssh/ssh_known_hosts for all the containers. It's only useful for nova_compute and nova_libvirt containers where live migration needs that file to work. Change-Id: I9765dedf43d2c6765922eafaa9d5791ce488b41f
187 lines
6.0 KiB
YAML
187 lines
6.0 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Contains a static list of common things necessary for containers
|
|
|
|
parameters:
|
|
|
|
# Required parameters
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
|
|
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
RpcPort:
|
|
default: 5672
|
|
description: The network port for messaging backend
|
|
type: number
|
|
|
|
PcmkConfigRestartTimeout:
|
|
default: 600
|
|
description: Time in seconds to wait for a pacemaker resource to restart when
|
|
a config change is detected and the resource is being restarted
|
|
type: number
|
|
|
|
ContainerCli:
|
|
type: string
|
|
default: 'podman'
|
|
description: CLI tool used to manage containers.
|
|
constraints:
|
|
- allowed_values: ['docker', 'podman']
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
|
|
|
outputs:
|
|
container_config_scripts:
|
|
description: Shared container config scripts
|
|
value:
|
|
container_puppet_apply.sh:
|
|
mode: "0700"
|
|
content: |
|
|
#!/bin/bash
|
|
set -eux
|
|
STEP=$1
|
|
TAGS=$2
|
|
CONFIG=$3
|
|
EXTRA_ARGS=${4:-''}
|
|
if [ -d /tmp/puppet-etc ]; then
|
|
# ignore copy failures as these may be the same file depending on docker mounts
|
|
cp -a /tmp/puppet-etc/* /etc/puppet || true
|
|
fi
|
|
echo "{\"step\": ${STEP}}" > /etc/puppet/hieradata/docker_puppet.json
|
|
# $::deployment_type in puppet-tripleo
|
|
export FACTER_deployment_type=containers
|
|
set +e
|
|
puppet apply $EXTRA_ARGS \
|
|
--verbose \
|
|
--detailed-exitcodes \
|
|
--summarize \
|
|
--color=false \
|
|
--modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \
|
|
--tags $TAGS \
|
|
-e "noop_resource('package'); ${CONFIG}"
|
|
rc=$?
|
|
set -e
|
|
set +ux
|
|
if [ $rc -eq 2 -o $rc -eq 0 ]; then
|
|
exit 0
|
|
fi
|
|
exit $rc
|
|
pyshim.sh:
|
|
mode: "0755"
|
|
content: { get_file: ../container_config_scripts/pyshim.sh }
|
|
pacemaker_restart_bundle.sh:
|
|
mode: "0755"
|
|
content:
|
|
str_replace:
|
|
template: { get_file: ../container_config_scripts/pacemaker_restart_bundle.sh }
|
|
params:
|
|
__PCMKTIMEOUT__: {get_param: PcmkConfigRestartTimeout}
|
|
pacemaker_wait_bundle.sh:
|
|
mode: "0755"
|
|
content:
|
|
str_replace:
|
|
template: { get_file: ../container_config_scripts/pacemaker_wait_bundle.sh }
|
|
params:
|
|
__PCMKTIMEOUT__: {get_param: PcmkConfigRestartTimeout}
|
|
|
|
volumes_base:
|
|
description: Base volume list
|
|
value: &volumes_base
|
|
list_concat:
|
|
- - /etc/hosts:/etc/hosts:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
# OpenSSL trusted CAs
|
|
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
|
|
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
|
|
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
|
|
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
|
|
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
|
|
# Syslog socket
|
|
- /dev/log:/dev/log
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
|
|
volumes:
|
|
description: Common volumes for the containers.
|
|
value:
|
|
list_concat:
|
|
- *volumes_base
|
|
# required for bootstrap_host_exec
|
|
- - /etc/puppet:/etc/puppet:ro
|
|
|
|
pacemaker_restart_volumes:
|
|
description: Common volumes for the pacemaker restart containers.
|
|
value:
|
|
list_concat:
|
|
- *volumes_base
|
|
- - /var/lib/container-config-scripts/pacemaker_restart_bundle.sh:/pacemaker_restart_bundle.sh:ro
|
|
- /var/lib/container-config-scripts/pacemaker_wait_bundle.sh:/pacemaker_wait_bundle.sh:ro
|
|
- /dev/shm:/dev/shm:rw
|
|
# required for bootstrap_host_exec, facter
|
|
- /etc/puppet:/etc/puppet:ro
|
|
- if:
|
|
- docker_enabled
|
|
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
|
|
- null
|
|
|
|
container_puppet_apply_volumes:
|
|
description: Common volumes needed to run the container_puppet_apply.sh from container_config_scripts
|
|
value:
|
|
list_concat:
|
|
- *volumes_base
|
|
- - /var/lib/container-config-scripts/container_puppet_apply.sh:/container_puppet_apply.sh:ro
|
|
# container_puppet_apply.sh will copy this to /etc/puppet in the container
|
|
- /etc/puppet:/tmp/puppet-etc:ro
|
|
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
|
|
|
|
healthcheck_rpc_port:
|
|
description: healthcheck command that probes the RpcPort
|
|
value:
|
|
test:
|
|
str_replace:
|
|
template:
|
|
'/openstack/healthcheck RPCPORT'
|
|
params:
|
|
RPCPORT: {get_param: RpcPort}
|